Add NPEP for new CIDRGroup object peer#183
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
✅ Deploy Preview for kubernetes-sigs-network-policy-api ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
k8s-ci-robot
added
the
size/M
tssurya
force-pushed
the
cidr-object-npep
branch
from
aef81b5 to
7e30032
Compare
k8s-ci-robot
added
size/L
tssurya
changed the title
CIDRGroup object peer
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
tssurya
force-pushed
the
cidr-object-npep
branch
from
7e30032 to
930064a
Compare
Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
tssurya
force-pushed
the
cidr-object-npep
branch
from
930064a to
b6673d7
Compare
|
@joestringer and @networkop PTAL, I have tried to include the uses cases you had proposed to see if we can also have this way of expressing CIDR peers. |
| The speed of IP churn is bounded by the BGP advertisement interval and can be | ||
| further reduced by the BGP controller implementation. | ||
|
|
||
| * As a cluster administrator I want to to ensure that pods can reach |
There was a problem hiding this comment.
Just playing devil's advocate with maybe a really bad idea:
What if we try to use the EndpointSlice API to solve this set of problems?
Pros:
- Fewer network policy
objectsCRDS - Make headway into defining the Service selector API
Cons:
- Abusing(?) the EndpointSlice idiom
There was a problem hiding this comment.
@rahulkjoshi can you specify IP prefixes or only IP addresses in EndpointSlice?
There was a problem hiding this comment.
😦 yeah you're right only individual addresses in EndpointSlice
My underlying thought with this situation was whether there's overlap with a more general service discovery problem. My thinking was that whatever application the rule protects also needs to discover the IPs it's talking to.
I was hoping that plugging into that system might be more ergonomic? But it's more likely to just be incredibly complicated and not easily generalizable.
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
thanks @fasaxc for the comments, I haven't forgotten this, will get back to this |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/reopen |
|
@fasaxc: Reopened this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
removed
the
lifecycle/rotten
|
@fasaxc: The DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: tssurya The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
|
Another use case, from kubernetes/enhancements#5708. That's about having a label to match "system namespaces", but the example policy I give is: apiVersion: policy.networking.k8s.io/v1alpha2
kind: ClusterNetworkPolicy
metadata:
name: block-user-namespaces-from-metadata-api
spec:
tier: Admin
priority: 100 # adjust as appropriate
subject:
namespaces:
matchExpressions:
- # FIXME: fill this part in
egress:
- action: "Deny"
to:
- networks:
# This is the IP used by GCP, AWS, and Azure, but other clouds may
# use different IPs...
- 169.254.169.254/32And it occurs to me that if we encouraged distros to create a "cloud-metadata-apis" CIDRGroup, then we could use that at the end rather than having to say "figure it out yourself". |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
8 participants
This NPEP captures the use cases for having a better CIDRGrouper for easier management of CIDR peers in addition to inline CIDR peers
Closes #182