Network policy docs clarifications

[npinaeva]

1. Add "Pod lifecycle" section to the network policy docs.
2. Clarify network policy behaviour for hostNetwork pods
3. Clarify network policy behaviour for L2/L3 protocols

New sections should clarify some confusing aspect for the users, and become the base to build better-defined API for AdminNetworkPolicy.

The current version is intended for content reviews, and may not completely follow style guidelines, which will be fixed once we agree on the content.

[k8s-ci-robot]

Welcome @npinaeva!

It looks like this is your first PR to kubernetes/website 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/website has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[npinaeva]

/cc @danwinship @astoycos

[bradtopol]

/retest

[bradtopol]

/recheck

[bradtopol]

@npinaeva This looks like it needs to build again.

git commit --allow-empty -m "empty commit to rerun tests"

[sftim]

Thanks. Here's some thoughts.

[sftim]

I'll trigger a build in Netlify (we haven't got that hooked up to /retest in Prow - sorry about that)

Please rebase this against main - there's been a breaking change to the CVE feed format.

[npinaeva]

@sftim thanks for your feedback! I made some changes and left some questions, ptal :)

[WillsonHG]

/easycla

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: npinaeva / name: Nadia Pinaeva (ae26b7e, cf80f24, 3082727, 9fd88db)

[Arhell]

/easycla

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	9fd88db
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/652ea3a9734fb5000701d829
😎 Deploy Preview	https://deploy-preview-39875--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[sftim]

Some more thoughts

[npinaeva]

hey @kbhawkey , thanks for asking! Yes I am still working on it, just waiting for some feedback :)

[huntergregory]

pods...will be isolated before they are started

I believe this bullet point is incorrect. This requirement does not even seem possible for a NetworkPolicy implementation which is disjoint from the CNI (e.g. Azure NPM).

Assuming that isolation here means blocking traffic. Please correct me if I'm misinterpreting.

[danwinship]

Your interpretation, and the bullet point, are correct. A correct implementation of NetworkPolicy must ensure that pods are not able to bypass pre-existing NetworkPolicies at any point in their lifecycle.

If pods aren't fully subject to NetworkPolicy at startup time, then an attacker can exploit that race condition by continuously creating new pods and trying to make connections that should have been blocked, until they eventually succeed, and then they can do whatever bad thing the NetworkPolicy was supposed to have been preventing them from doing, rendering the NetworkPolicy useless.

This requirement does not even seem possible for a NetworkPolicy implementation which is disjoint from the CNI (e.g. Azure NPM).

Note that it's allowed for pods to come up more restricted than they're supposed to be, just not less restricted. So if the NP impl can create a fallback "block everything else" rule that would apply to newly-created pods, then it could do that, and then the pod would come up fully isolated until the NP impl has a chance to fix it up.

If the CNI plugin works in such a way that the NP implementation can't create rules that would apply to a new pod before that pod exists (eg, the CNI plugin is creating a new interface), then there is probably no way to correctly implement NetworkPolicy independently of the CNI plugin. (Though there are small-ish modifications that could be made to the plugin to make this possible. Eg, you could add a flag to the CNI plugin saying "make newly-created pods start out completely isolated", and then it would depend on the existence of some external NP impl to fix the pods up after that.)

[sftim]

make newly-created pods start out completely isolated

(aside)
That sounds like a very reasonable workaround, especially given the (alpha) PodReadyToStartContainers condition - the new Pod might be fully isolated, then add packet filtering rules, then remove the full isolation, and finally assert PodReadyToStartContainers. But: it does need the network plugin to play at least some role.

Maybe there's an interface or API that we can define so that a network plugin waits between setting up IP networking for a Pod and asserting that condition. That would help standalone NetworkPolicy implementations to provide the guarantees we expect.

[sftim]

Thanks. Please be sure to address https://github.com/kubernetes/website/pull/39875/files#r1168499297

[sftim]

If you're willing to update it, the section about SCTPSupport is stale.

[npinaeva]

can you please elaborate?

[sftim]

It's now generally available, no need to enable it and no option to disable it.

[danwinship]

The whole "SCTP support" section can probably just go away; once you get rid of the stuff about the feature gate, all that's left is a warning that SCTP NetworkPolicies only work if your network plugin supports SCTP, which is kind of a no-brainer.

[npinaeva]

so do you want me to add another commit to remove SCTP support section? This PR doesn't touch SCTP yet, so maybe it would be a better option to have it as another PR (knowing for how ling we've been discussing this one)?

[npinaeva]

I added one more commit for SCTP, I left the note about plugin SCTP support, since it looks fine to me in the new "Network traffic filtering" section that talks about protocols. ptal

[sftim]

Suggested change

	Once the NetworkPolicy is handled by a network plugin,
	For a cluster with a conformant networking plugin and a conformant implementation of
	NetworkPolicy:

[npinaeva]

It is not exactly equivalent, but I added this message as a not at the beginning of the Pod lifecycle section

[danwinship]

(IMO we don't need this note; the entire page only applies to plugins that implement NetworkPolicy, and the entire /services-networking/ section only (fully) applies to clusters with conformant networking plugins.)

[npinaeva]

yeah good point, @sftim what do you think?

[sftim]

the entire page only applies to plugins that implement NetworkPolicy

The conceptual explanation is relevant even if your cluster is using a network plugin that has never heard of NetworkPolicy.

---

We should document somewhere what we expect from a conforming network plugin. Otherwise, it's not fair on plugin authors - they need to know what's expected and shouldn't have to become detectives in meeting that end.

The way we inform implementers might once day be through a separate reference page, but for now this concept page is the closest thing we have.

[sftim]

Suggested change

	Every created NetworkPolicy will be handled by a network plugin eventually, but there is no
	way to tell from the Kubernetes API when exactly that happens.
	Every created NetworkPolicy will be handled by a network plugin eventually, but there is no
	way to tell from the Kubernetes API when exactly the policy is being enforced for new or
	existing Pods.
	(As an example: if you write a NetworkPolicy implementation that begins enforcing the policy from
	midnight the next day, that conforms to Kubernetes' requirements - but of course could be very
	frustrating for cluster administrators).

[npinaeva]

This suggestion looks more implementor-focused to me, and I think we were going to outline implementor guideline in a different document, wdyt?
Another note - I don't think the implementation you described will pass conformance tests for network policy, so maybe it is not really conformant?

[danwinship]

There are no conformance tests for NetworkPolicy, but it wouldn't pass the ordinary e2e tests.

I think we were going to outline implementor guideline in a different document

yeah, there's been discussion about that (partly inspired by this PR). https://groups.google.com/g/kubernetes-sig-network/c/Ga9SWGs00k4 / kubernetes/community#7421

[sftim]

Even then, you might not be able to tell (I think).

[npinaeva]

that is right, e.g. connections may be dropped for another reason, but I am not sure if adding these details will improve or over-complicate this section, wdyt?

[sftim]

I'd omit the sentence. I'm wary about the risk of misleading people.

(I don't want someone to think “Right, so this Pod shouldn't be able to talk to a Pod in namespace untrusted. I tried and failed, so my policy is working. Job done, !”)

[danwinship]

"Allow rules will be applied eventually after the isolation rules (or may be applied at the same time)."

[danwinship]

"Therefore, pods must be resilient..."

[danwinship]

"...before letting the app containers start." or "...before kubelet starts the app containers".

[danwinship]

2. a `hostNetwork` pod is selected by a `podSelector` in an `ingress` or `egress` rule.

(since there's the ipBlock case too, but you don't talk about that in this bullet point)

[danwinship]

(left some other comments up above in earlier threads too)

[sftim]

so do you want me to add another commit to remove SCTP support section? This PR doesn't touch SCTP yet, so maybe it would be a better option to have it as another PR (knowing for how ling we've been discussing this one)?

You must fix the mandatory corrctive feedback about undefined behavior and get that update tech-reviewed. You can also address the optional feedback about SCTP if you'd like to.

[npinaeva]

@danwinship can you please tal at the hostNetwork section?
@sftim can you please check the sctp changes?

[danwinship]

(mostly editorial comments, except for the hostNetwork section, which must be fixed)

[danwinship]

Suggested change

	When a new NetworkPolicy object is created, it may take some for a network plugin
	to handle the new object. If the pod that is affected by a NetworkPolicy
	is created before the network plugin has completed NetworkPolicy handling,
	that pod may be started unprotected, and isolation rules will be applied when
	the NetworkPolicy handling is completed.
	When a new NetworkPolicy object is created, it may take some time for a network plugin
	to handle the new object. If a pod that is affected by a NetworkPolicy
	is created before the network plugin has completed NetworkPolicy handling,
	that pod may be started unprotected, and isolation rules will be applied when
	the NetworkPolicy handling is completed.

[danwinship]

(IMO we don't need this note; the entire page only applies to plugins that implement NetworkPolicy, and the entire /services-networking/ section only (fully) applies to clusters with conformant networking plugins.)

[danwinship]

Suggested change

	In the worst case, a newly created pod may have no network connectivity at all, if
	In the worst case, a newly created pod may have no network connectivity at all when it is first started, if

[danwinship]

As Tim notes, this won't work for checking "negative connectivity", so it might be good to clarify that this is only for the "positive connectivity" case. "If you need to make sure the pod can reach certain destinations before being started, you can use an init container to wait for those destinations to be reachable before kubelet starts the app containers."

[danwinship]

Suggested change

	NetworkPolicy behaviour for `hostNetwork` pods is undefined, but should be limited with 2 possibilities:
	NetworkPolicy behaviour for `hostNetwork` pods is undefined, but it should be limited to 2 possibilities:

[danwinship]

Suggested change

	- network plugin can distinguish `hostNetwork` pod traffic from any other traffic and will apply
	NetworkPolicy to it
	- The network plugin can distinguish `hostNetwork` pod traffic from all other traffic
	(including being able to distinguish traffic from different `hostNetwork` pods on
	the same node), and will apply NetworkPolicy to `hostNetwork` pods just like it does
	to pod-network pods.

[danwinship]

Suggested change

	- network plugin ignores `hostNetwork` pods
	- The network plugin cannot properly distinguish `hostNetwork` pod traffic, and so it ignores `hostNetwork` pods when matching `podSelector` and `namespaceSelector`. Traffic to/from `hostNetwork` pods is treated the same as all other traffic to/from the node IP. (This is the most common implementation.)

It's not ignoring the pods entirely; eg, a pod which is isolated for ingress will still reject connections from hostNetwork pods.

[danwinship]

Suggested change

	2. a `hostNetwork` pod is selected by a `podSelector` in an `ingress` or `egress` rule.
	2. a `hostNetwork` pod is selected by a `podSelector` or `namespaceSelector` in an `ingress` or `egress` rule.

[sftim]

I'd like a technical review from @kubernetes/sig-network-misc

[sftim]

(nit)

Suggested change

	When a `deny all` network policy is defined, it is only guaranteed to deny TCP, UDP and SCTP
	When a _deny all_ network policy is defined, it is only guaranteed to deny TCP, UDP and SCTP

[sftim]

(optionally)

Suggested change

	connections. For other protocols, such as ARP or ICMP, the behaviour is undefined.
	connections. For other protocols, such as ARP or ICMP, the behaviour is undefined: it is up to
	each network plugin to decide what behavior to adopt and implement.

[sftim]

the entire page only applies to plugins that implement NetworkPolicy

The conceptual explanation is relevant even if your cluster is using a network plugin that has never heard of NetworkPolicy.

---

We should document somewhere what we expect from a conforming network plugin. Otherwise, it's not fair on plugin authors - they need to know what's expected and shouldn't have to become detectives in meeting that end.

The way we inform implementers might once day be through a separate reference page, but for now this concept page is the closest thing we have.

[danwinship]

/lgtm

I'd like a technical review from @kubernetes/sig-network-misc

Sure, that's what I was doing all along. I declare this PR to be technically accurate!

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: a9fc7ecc2e8284aed8052790b331247fec345282

[sftim]

This is good to publish.

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sftim

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• content/en/OWNERS [sftim]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment