Allow including both podSelector and namespaceSelector in a NetworkPolicyPeer #60452
Conversation
k8s-ci-robot
added
release-note
k8s-github-robot
added
the
kind/api-change
|
/sig network Is there anything else I missed in kubernetes itself? We'll also need a docs PR and a kubectl PR... |
k8s-ci-robot
added
the
sig/network
|
Having actually written the docs now, I'm maybe more convinceable that we should go with |
I'd prefer to not introduce a new field such as As a user of the API, I think the AND of As an implementor, it's almost no work on my side to simply support the AND combination of pod / namespace, whereas there's more for me to do to support a new selector field. |
|
My concern is that the AND isn't generic (unless we make it so) and is
therefore vastly more confusing.
…On Mon, Feb 26, 2018 at 12:49 PM, Casey Davenport ***@***.***> wrote:
Having actually written the docs now, I'm maybe more convinceable that we
should go with podAndNamespaceSelector instead; it would work more cleanly
with the idea of separately documenting each field in NetworkPolicyPeer
like we do...
I'd prefer to not introduce a new field such as podAndNamespaceSelector
As a user of the API, I think the AND of podSelector and namespaceSelector
is exactly how I'd expect those two to behave when both specified. In fact,
even a generic AND would make sense to me, though I don't see what use-case
I'd have for it.
As an implementor, it's almost no work on my side to simply support the
AND combination of pod / namespace, whereas there's more for me to do to
support a new selector field.
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub
<#60452 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVEj32SsBZRwpRJyBQ8BaFRYNAyA3ks5tYxg-gaJpZM4ST1yk>
.
|
That may be, though with a well written out validation error I'd guess it would be fairly clear. I understand it might be extra work for other implementors to do the generic AND, but from a Calico perspective it's trivial. So personally I'd rather have us implement the generic AND than add an extra type for people to reason with. |
"may not specify both ipBlock and another peer" |
|
I am OK either way. Let's just get it in.
…On Mon, Feb 26, 2018 at 2:45 PM, Dan Winship ***@***.***> wrote:
That may be, though with a well written out validation error I'd guess it
would be fairly clear.
"may not specify both ipBlock and another peer"
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub
<#60452 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVFLqNCaXnDmJeI2KVMIdd8Mn5Vfeks5tYzP_gaJpZM4ST1yk>
.
|
|
I like this, is this anything I can help? Maybe the kubectl pr? @danwinship |
|
@Lion-Wei: sure. "kubectl describe" needs to be extended to be able to describe policies where a NetworkPolicyPeer has both podSelector and namespaceSelector set (describing it according to the semantics seen in the API docs here). |
|
/retest |
hack/make-rules/update.sh
Outdated
| @@ -47,7 +47,7 @@ if ! ${ALL} ; then | |||
| echo "Running in short-circuit mode; run with FORCE_ALL=true to force all scripts to run." | |||
| fi | |||
|
|
|||
| "${KUBE_ROOT}/hack/godep-restore.sh" ${V} | |||
| #"${KUBE_ROOT}/hack/godep-restore.sh" ${V} | |||
danwinship
force-pushed
the
networkpolicy-pod-plus-ns
branch
from
136f147
to
8bc6eda
Compare
|
@danwinship I will push that pr as soon as this got merged. : ) |
|
@caseydavenport repushed with the stray update.sh change removed if you want to /lgtm it |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/approve |
k8s-ci-robot
added
the
approved
|
This change is |
|
/retest Review the full test history for this PR. Silence the bot with an |
1 similar comment
|
/retest Review the full test history for this PR. Silence the bot with an |
k8s-ci-robot
removed
the
lgtm
danwinship
force-pushed
the
networkpolicy-pod-plus-ns
branch
from
5e25d12
to
8bc6eda
Compare
|
What's holding this thing of outstanding natural beauty back? Just re-applying /lgtm? |
|
It's waiting for 1.10 to go out and master to reopen for 1.11. I'm not sure where the /lgtm went. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: caseydavenport, danwinship, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest Review the full test history for this PR. Silence the bot with an |
3 similar comments
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
Is this technically a breaking change in the behavior? (or was it impossible to specify both namespaceSelector and podSelector on the same peer spec?) |
|
@caseydavenport does this require a change in calico to work? |
|
@ahmetb It was previously impossible to specify both; validation would reject the resource in that case |
|
@oivindoh yeah, we'll need to make a minor change to Calico in order to make this work. Should be really straightforward. Calico supports this already within its policy model, but the code which converts kubernetes policies doesn't yet expect this. |
Updates NetworkPolicy API docs and validation to allow podSelector and namespaceSelector to be specified together in a NetworkPolicyPeer
Fixes #58637
Release note: