ACNP: replace NamespaceSelector with Namespaces for policy peers #1941
Labels
area/network-policy/api
Issues or PRs related to the network policy API.
kind/design
Categorizes issue or PR as related to design.
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
Describe what you are trying to solve
Users want to reduce the management overhead of security policies by writing succinct Antrea-native policies. For example, a namespace isolation policy for the entire cluster (inter-ns deny, intra-ns allow), currently users must create a default-allow policy per Namespace instead of a single Cluster scoped policy. This is due to the fact that the ACNP is not expressive enough to satisfy the above use case.
Describe the solution you have in mind
Introduce a new
Namespaces
field which replacesNamespaceSelector
in Antrea ClusterNetworkPolicy peers:Namespaces.Selector
will have the exact same semantics as the originalNamespaceSelector
.Self
, on the other hand, is a new optional field, which evaluates to false by default. Whenself: true
is set, no selectors can be present concurrently. This is a special keyword to indicate that the correspondingpodSelector
should be evaluated from the Namespace for which the ingress/egress rule is currently being evaluated upon. Consider the following exmaple:app=a
andapp=b
respectively.app=a
andapp=b
respectively.The above ClusterNetworkPolicy should be interpreted as: for each Namespace in the cluster, all Pods in that Namespace should only allow traffic from Pods in the same Namespace who has label app=b. Hence, the policy above denies x/b1 -> x/a1 and y/b2 -> y/a2, but does not regulate y/b2 -> x/a1 and x/b1 -> y/b2.
Using the new semantics, one can easily write a single Namespace isolation ACNP as follows:
Since the allow rule allows intra-namespace traffic and comes before the deny rule to deny all ingress traffic, the intra-namespace traffic will be allowed and any other traffic will be dropped by the deny rule.
Describe how your solution impacts user flows
The ACNP apiVersion will be bumped up to v1alpha2 and older policies will be internally converted to this new semantics by automatically translating
NamespaceSelector
toNamespaces.Selector
. Users must now be informed of the new semantics and start using v1alpha2 version of the policies.Test plan
In addition to e2e and unit tests, upgrade tests must be added to ensure smooth upgrade workflows.
The text was updated successfully, but these errors were encountered: