Support NodeSelector in ACNP/ANP ingress/egress rules #3023
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
wenqiq
added
the
kind/feature
|
Why |
Thanks for the reply. apiVersion: crd.antrea.io/v1alpha1
kind: ClusterNetworkPolicy
metadata:
name: ingress-control-plane
spec:
priority: 1
appliedTo:
- nodeSelector:
matchLabels:
kubernetes.io/role: control-plane
ingress:
- action: Allow # Allows ingress to the Kubernetes API server.
from:
- podSelector: {}
ports:
- protocol: TCP
port: 6443
- action: Allow # Allows all traffic to localhost.
from:
- podSelector:
matchLabels:
name: antrea-test-app-5cffdb86df-4nnd51
- ipBlock:
cidr: 127.0.0.0/8
- action: Allow # For multi-control-plane cluster
from:
- nodeSelector:
matchLabels:
kubernetes.io/role: control-plane
ports:
- protocol: TCP
port: 2380
- protocol: TCP
port: 10250 |
|
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days |
github-actions
bot
added
the
lifecycle/stale
Correct the last reply. The NodeSelector is only in 'from' or 'to' sections. If we add NodeSelector in 'appliedTo', maybe we need to implement the Host-Firewall, that’ll be a more big feature. apiVersion: crd.antrea.io/v1alpha1
kind: ClusterNetworkPolicy
metadata:
name: egress-control-plane
spec:
priority: 1
appliedTo:
- podSelector:
matchLabels:
app: antrea-test-app
egress:
- action: Drop
to:
- nodeSelector:
matchLabels:
node-role.kubernetes.io/control-plane: ""
ports:
- protocol: TCP
port: 6443
|
|
See also google doc: Antrea NetworkPolicy NodeSelector Design Docs |
wenqiq
removed
the
lifecycle/stale
wenqiq
added a commit
to wenqiq/antrea
that referenced
this issue
Mar 2, 2022
Support nodeSelector in ACNP/ANP ingress/egress rules. Related: antrea-io#3023 Signed-off-by: Wenqi Qiu <wenqiq@vmware.com>
wenqiq
changed the title
wenqiq
added a commit
to wenqiq/antrea
that referenced
this issue
Mar 3, 2022
Support nodeSelector in ACNP/ANP ingress/egress rules. Related: antrea-io#3023 Signed-off-by: Wenqi Qiu <wenqiq@vmware.com>
wenqiq
added a commit
to wenqiq/antrea
that referenced
this issue
Mar 9, 2022
Support nodeSelector in ACNP/ANP ingress/egress rules. Related: antrea-io#3023 Signed-off-by: Wenqi Qiu <wenqiq@vmware.com>
wenqiq
added a commit
to wenqiq/antrea
that referenced
this issue
Mar 11, 2022
Support nodeSelector in ACNP/ANP ingress/egress rules. Related: antrea-io#3023 Signed-off-by: Wenqi Qiu <wenqiq@vmware.com>
wenqiq
added a commit
to wenqiq/antrea
that referenced
this issue
Mar 18, 2022
Support nodeSelector in ACNP/ANP ingress/egress rules. Related: antrea-io#3023 Signed-off-by: Wenqi Qiu <wenqiq@vmware.com>
wenqiq
added a commit
to wenqiq/antrea
that referenced
this issue
Mar 20, 2022
Support nodeSelector in ACNP/ANP ingress/egress rules. Related: antrea-io#3023 Signed-off-by: Wenqi Qiu <wenqiq@vmware.com>
wenqiq
added a commit
to wenqiq/antrea
that referenced
this issue
Mar 21, 2022
1. Add `nodeSelector` field in ACNP/ANP ingress/egress rules to restrict traffic from/to particular Nodes.
2. Add Node info in the output of `antctl get addressgroup`.
For example:
```
antctl get addressgroup
NAME POD-IPS NODE-IPS
5e1bbf8e-67a3-5384-b2bf-e42e93bd68aa <NONE> 192.168.0.1, 10.176.27.105
f8c56571-d6db-51ec-9352-a9a47476a9a0 192.168.0.70,192.168.1.38,192.168.1.39 <NONE>
antctl get addressgroup -oyaml
- name: 5e1bbf8e-67a3-5384-b2bf-e42e93bd68aa
nodes:
- ip: 192.168.0.1, 10.176.27.105
node:
name: wenqiq01-1
- name: f8c56571-d6db-51ec-9352-a9a47476a9a0
pods:
- ip: 192.168.1.38
pod:
name: iperf3-55bcff667d-v495l
namespace: demo
- ip: 192.168.1.39
pod:
name: iperf3-55bcff667d-c74ll
namespace: demo
- ip: 192.168.0.70
pod:
name: iperf3-55bcff667d-pz2d2
namespace: demo
```
Fixes: antrea-io#3023
Signed-off-by: Wenqi Qiu <wenqiq@vmware.com>
wenqiq
added a commit
to wenqiq/antrea
that referenced
this issue
Mar 21, 2022
1. Add `nodeSelector` field in ACNP/ANP ingress/egress rules to restrict
traffic to/from particular Nodes.
2. Add Node IPs info in the output of `antctl get addressgroup`.
For example:
```
antctl get addressgroup
NAME POD-IPS NODE-IPS
5e1bbf8e-67a3-5384-b2bf-e42e93bd68aa <NONE> 192.168.0.1, 10.176.27.105
f8c56571-d6db-51ec-9352-a9a47476a9a0 192.168.0.70,192.168.1.38,192.168.1.39 <NONE>
antctl get addressgroup -oyaml
- name: 5e1bbf8e-67a3-5384-b2bf-e42e93bd68aa
nodes:
- ip: 192.168.0.1, 10.176.27.105
node:
name: wenqiq01-1
- name: f8c56571-d6db-51ec-9352-a9a47476a9a0
pods:
- ip: 192.168.1.38
pod:
name: iperf3-55bcff667d-v495l
namespace: demo
- ip: 192.168.1.39
pod:
name: iperf3-55bcff667d-c74ll
namespace: demo
- ip: 192.168.0.70
pod:
name: iperf3-55bcff667d-pz2d2
namespace: demo
```
Fixes: antrea-io#3023
Signed-off-by: Wenqi Qiu <wenqiq@vmware.com>
wenqiq
added a commit
to wenqiq/antrea
that referenced
this issue
Mar 24, 2022
1. Add `nodeSelector` field in ACNP/ANP ingress/egress rules to restrict
traffic to/from particular Nodes.
2. Add Node IPs info in the output of `antctl get addressgroup`.
For example:
```
antctl get addressgroup
NAME POD-IPS NODE-IPS
5e1bbf8e-67a3-5384-b2bf-e42e93bd68aa <NONE> 192.168.0.1, 10.176.27.105
f8c56571-d6db-51ec-9352-a9a47476a9a0 192.168.0.70,192.168.1.38,192.168.1.39 <NONE>
antctl get addressgroup -oyaml
- name: 5e1bbf8e-67a3-5384-b2bf-e42e93bd68aa
nodes:
- ip: 192.168.0.1, 10.176.27.105
node:
name: wenqiq01-1
- name: f8c56571-d6db-51ec-9352-a9a47476a9a0
pods:
- ip: 192.168.1.38
pod:
name: iperf3-55bcff667d-v495l
namespace: demo
- ip: 192.168.1.39
pod:
name: iperf3-55bcff667d-c74ll
namespace: demo
- ip: 192.168.0.70
pod:
name: iperf3-55bcff667d-pz2d2
namespace: demo
```
Fixes: antrea-io#3023
Signed-off-by: Wenqi Qiu <wenqiq@vmware.com>
Co-authored-by: Quan Tian <qtian@vmware.com>
tnqn
pushed a commit
that referenced
this issue
Mar 24, 2022
1. Add `nodeSelector` field in ACNP/ANP ingress/egress rules to restrict
traffic to/from particular Nodes.
2. Add Node IPs info in the output of `antctl get addressgroup`.
For example:
```
antctl get addressgroup
NAME POD-IPS NODE-IPS
5e1bbf8e-67a3-5384-b2bf-e42e93bd68aa <NONE> 192.168.0.1, 10.176.27.105
f8c56571-d6db-51ec-9352-a9a47476a9a0 192.168.0.70,192.168.1.38,192.168.1.39 <NONE>
antctl get addressgroup -oyaml
- name: 5e1bbf8e-67a3-5384-b2bf-e42e93bd68aa
nodes:
- ip: 192.168.0.1, 10.176.27.105
node:
name: wenqiq01-1
- name: f8c56571-d6db-51ec-9352-a9a47476a9a0
pods:
- ip: 192.168.1.38
pod:
name: iperf3-55bcff667d-v495l
namespace: demo
- ip: 192.168.1.39
pod:
name: iperf3-55bcff667d-c74ll
namespace: demo
- ip: 192.168.0.70
pod:
name: iperf3-55bcff667d-pz2d2
namespace: demo
```
Fixes: #3023
Signed-off-by: Wenqi Qiu <wenqiq@vmware.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the problem/challenge you have
Restrict traffic from Pods to particular Nodes.
Support NodeSelector in ACNP/ANP ingress/egress rules, by defining NetworkPolicy with nodeSelector we can create rules
to restrict the traffic to/from certain Kubernetes Nodes for specific Pods.
Describe the solution you'd like
Add a selector in an ingress
fromsection or egresstosection. NodeSelector selects particular Nodes in the cluster. The selected Node's IPs will be set as "sources" ifnodeSelectorset iningresssection, or as "destinations" if set inegresssection.For example, The following policy will drop egress traffic from Pods with labels 'app=antrea-test-app' to any node with the label kubernetes.io/role=control-plane on TCP ports 6443 (kube-apiserver).
Anything else you would like to add?
The text was updated successfully, but these errors were encountered: