New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support both podSelector and namespaceSelector in NetworkPolicy #3312

Open
brb opened this Issue Jun 6, 2018 · 5 comments

Comments

Projects
None yet
5 participants
@brb
Copy link
Contributor

brb commented Jun 6, 2018

Upcoming Kubernetes release will allow us to select pods in selected namespaces (kubernetes/kubernetes#60452). We should support it in weave-npc.

@brb brb added this to the 2.5 milestone Jul 16, 2018

murali-reddy added a commit that referenced this issue Oct 16, 2018

@murali-reddy murali-reddy self-assigned this Oct 17, 2018

@murali-reddy

This comment has been minimized.

Copy link
Contributor

murali-reddy commented Oct 18, 2018

@brb I gave it a shot to fix this #3428

It appears to me that current design to keep per namespace selector collection does not easily fit in to the combination of podSelector and namespaceSelector.

So the association namespace <- network policy <- selectors works nicely when pods are with in the namespace or all the pods in different namespace selected by namespace selector.

I extended a bit selector to be a different namespaces as well. But does not quite work yet. From what i see add/delete/update pods need to check with all the network policies across namespaces.

Before i go down the path can you check #3428 and see if there is any simple way to solve this?

@brb

This comment has been minimized.

Copy link
Contributor

brb commented Oct 24, 2018

My idea was to get rid of the nsSelectors, to extend podSelectors in a way that it includes a namespace selector, and to share the podSelectors instance among all namespaces.

@bboreham bboreham modified the milestones: 2.5, 2.5.1 Nov 1, 2018

@dholbach dholbach removed the hacktoberfest label Nov 22, 2018

@n1koo

This comment has been minimized.

Copy link

n1koo commented Dec 11, 2018

Hi friends, is this still targeted for 2.5.1 or needs more research on the approach?

@murali-reddy

This comment has been minimized.

Copy link
Contributor

murali-reddy commented Dec 11, 2018

@n1koo IMO it does not look like this can be targeted for 2.5.x I started working on fix (in #3428) but it turned out network policies design changes are needed to accommodate the combination of pod selector and namespace selector.So likely targeted for 2.6

@n1koo

This comment has been minimized.

Copy link

n1koo commented Dec 11, 2018

@murali-reddy thanks for the super quick update. I'm sure things are still in flux for 2.6 but is there any rough estimate?

This would be hugely beneficial for us and i'm sure most of the other folks as separating apps to their own namespaces is pretty much a defacto setup but you still don't want everything in a namespace to be able to connect to everything in the other namespace :)

I'd be happy to help test it out when the work ramps up.

@bboreham bboreham modified the milestones: 2.5.1, 2.6 Jan 18, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment