Merge pull request #161 from astoycos/add-blog

setup mkdocs blog scaffolding

Author: k8s-ci-robot

mkdocs.yml

@@ -24,6 +24,13 @@ plugins:
   - macros:
       #include_dir: examples
       j2_line_comment_prefix: "#$"
+  - blog:
+      # NOTE: configuration options can be found at
+      # https://squidfunk.github.io/mkdocs-material/setup/setting-up-a-blog/
+      blog_dir: blog
+      blog_toc: true
+      #post_excerpt: required
+      post_excerpt_max_authors: 2
 markdown_extensions:
   - admonition
   - meta
@@ -57,8 +64,11 @@ nav:
       - Template: npeps/npep-95.md
       - Provisional: 
         - npeps/npep-126-egress-traffic-control.md
+        - npeps/npep-122.md
       - Implementable:
         - npeps/npep-137-conformance-profiles.md
         # - Experimental:
         # - Standard:
         # - Declined:
+  - Blog:
+    - blog/index.md

requirements.txt

@@ -8,11 +8,11 @@ MarkupSafe==2.1.3
 mkdocs==1.5.2
 mkdocs-awesome-pages-plugin==2.7.0
 mkdocs-macros-plugin==0.6.0
-mkdocs-material==7.3.3
-mkdocs-material-extensions==1.0.1
+mkdocs-material==9.2.0b3
+mkdocs-material-extensions==1.1.1
 pep562==1.0
-Pygments==2.5.2
-pymdown-extensions==9.0
+Pygments==2.14.0
+pymdown-extensions==9.9.1
 PyYAML==5.3
 six==1.14.0
 tornado==6.0.3

site-src/blog/.authors.yml

@@ -0,0 +1,5 @@
+astoycos:
+  name: Alex Stoycos
+  description: Senior Software Engineer at Red Hat. network-policy-api co-lead.
+  avatar: https://github.com/astoycos.png
+  

site-src/blog/index.md

@@ -0,0 +1 @@
+# Network Policy API Subgroup Blog

site-src/blog/posts/fake-post.md

@@ -0,0 +1,9 @@
+---
+date: 2023-09-07
+authors:
+  - astoycos
+---
+
+# Replace with blog post
+
+This is a temporary blog to be replaced with a real one :) .

site-src/enhancements.md

@@ -56,7 +56,7 @@ To start NPEP process, create a PR adding `npep-<issue number>.md` file in the
 [npep folder](https://github.com/kubernetes-sigs/network-policy-api/tree/master/npep)
 using the [template NPEP](https://github.com/kubernetes-sigs/network-policy-api/blob/master/npep/npep-95.md) as a
 starting point. Make sure to also add your new NPEP to the website, this can be done within
-the `index.md` file at the root of the repo.
+the `mkdocs.yml` file at the root of the repo.
 
 ### 4. Provisional: Agree on the Goals and applicable User-Stories
 

site-src/npeps/npep-126-egress-traffic-control.md

@@ -0,0 +1,90 @@
+# NPEP-126: Add northbound traffic support in (B)ANP API
+
+* Issue: [#126](https://github.com/kubernetes-sigs/network-policy-api/issues/126)
+* Status: Provisional
+
+## TLDR
+
+This NPEP proposes adding support for cluster egress (northbound) traffic control
+in the `AdminNetworkPolicy` and `BaselineAdminNetworkPolicy` API objects.
+
+## Goals
+
+* Implement egress traffic control towards external destinations (outside the cluster)
+* Implement egress traffic control towards cluster nodes
+  - Currently the behaviour for policies defined around traffic from cluster
+    workloads (non-hostNetworked pods) towards nodes in the
+    cluster is undefined. See https://github.com/kubernetes-sigs/network-policy-api/issues/73.
+    - ANP currently supports only east-west traffic and this traffic flow cuts from
+    overlay to underlay which makes this part of the egress (northbound) use case.
+    - Let's provide a defined behaviour in ANP to explicitly achieve the use case.
+    - NOTE: Traffic towards nodes here includes traffic towards host-networked pods on that node
+      because a "node" resource encompasses all objects that share the host-networking resources
+* Implement egress traffic control towards k8s-apiservers
+  - An apiserver endpoint in this context is special in the sense that it can be any entity
+    including but not limited to a host-networked pod within the cluster OR external VMs OR
+    infrastructure nodes running outside the cluster. This is why its a separate category goal.
+
+## Non-Goals
+
+* Implementing southbound (ingress) traffic use cases is outside the scope of this NPEP
+* Implementing egress traffic control towards arbitrary hostNetworked pods is outside the scope of this NPEP
+  - Currently the behaviour for policies defined around traffic from cluster
+  workloads (non-hostNetworked pods) towards hostNetworked pods in the
+  cluster is undefined. See https://github.com/kubernetes-sigs/network-policy-api/issues/73.
+  - ANP currently supports only east-west traffic and this traffic flow cuts from
+  overlay to underlay which makes this part of the egress (northbound) use case.
+  - NOTE: Currently there are no user stories for `CNI pod to arbitrarily chosen hostNetworked pods`.
+    Let's provide a defined behaviour in ANP to explicitly achieve the use case in the future if we have
+    user stories for this outside of the k8s-apiserver usecase which is already covered in the goals.
+    If that happens, this can be moved to goals.
+
+## Introduction
+
+### User Stories for egress traffic control towards external destinations
+
+1. **As a** cluster administrator **I want** to restrict traffic from
+specific cluster workloads to all or specific destinations outside the
+cluster **so that** I can enforce security for northbound traffic.
+Example: Pods in namespaceA and namespaceB should not be able to talk
+to the internet but they should be able to access company's intranet.
+
+2. **As a** cluster administrator **I want** to to ensure that pods can
+reach my cluster-external DNS server even if namespace admins create
+NetworkPolicies that block cluster-external egress.
+Example: As an owner of namespaceA I define policies that deny all
+northbound egress traffic for that namespace. However the cluster-admin
+can decide all namespaces in the cluster must be able to talk to the
+EXTERNAL_DNS_SERVER_IP on port 53.
+
+### User Stories for egress traffic control towards cluster nodes
+
+1. **As a** cluster administrator **I want** to easily block access from
+cluster workloads to specific ports on cluster nodes without having to block
+access to those ports on external hosts, without having to manually list
+the IP address of every node, and without having to change the policy when
+new nodes are added to the cluster.
+
+### User Stories for egress traffic control towards k8s-apiservers
+
+1. **As a** cluster administrator **I want** to easily allow access to
+k8s-apiservers from cluster workloads when there are other deny rules in place
+for these workloads.
+
+2. **As a** cluster administrator **I want** to easily block access from
+selected cluster workloads to k8s-apiservers for securing the server.
+
+## API
+
+(... details, can point to PR with changes)
+
+
+## Alternatives
+
+(List other design alternatives and why we did not go in that
+direction)
+
+## References
+
+* https://github.com/danwinship/enhancements/blob/cluster-egress-firewall/keps/sig-network/20190917-cluster-egress-firewall.md#blocking-access-to-services-used-by-the-node
+* https://github.com/kubernetes-sigs/network-policy-api/pull/86

site-src/npeps/npep-137-conformance-profiles.md

@@ -0,0 +1,189 @@
+# NPEP-137: Conformance Profiles
+
+* Issue: [#137](https://github.com/kubernetes-sigs/network-policy-api/issues/137)
+* Status: Implementable
+
+## TLDR
+
+Add conformance profiles for existing conformance tests which implementations
+can leverage when running the conformance test suite in their downstream repos
+to report the results of the tests back to the Network Policy API project and
+receive recognition (eg. "conformance badge")
+
+* NOTE: Adapted with love from https://gateway-api.sigs.k8s.io/geps/gep-1709/ (Then
+a question may arise, why do we need our own NPEP? Answer: Gateway API Project has
+lots of resources and features and it gets very complicated to adopt their same API.
+We need to tune the profiles to be compatible with what works for Network Policy API
+project, thus the need for this NPEP). Our profiles are much simpler than what GatewayAPI
+supports.
+
+## Goals
+
+* Add conformance profiles for existing tests that downstream implementations
+can subscribe to to run tests associated to the supported API feature sets
+
+* Add a reporting mechanism via a new CRD where conformance results can be
+reported back to the Network Policy API project and provide "conformance badges"
+via Network Policy official website to recognize these implementations.
+
+* Expand existing conformance testing framework to account for profiles
+
+## Non-Goals
+
+* The first iteration will just have a simple repo under which the report
+results will be stored, no automated reporting infrastructure will be built for this now.
+Implementations will need to open PRs against network-policy-api repo to upload
+the results.
+
+## Introduction
+
+Currently, the conformance tests are grouped into `CoreFeatures` and
+`ExtendedFeatures`. The support for features that fall under the `CoreFeatures`
+are a requirement for conformant implementations, while the support for features that fall
+under `ExtendedFeatures` are optional and do not gate API conformance for implementations.
+
+In this NPEP, we will add a concept called `named profiles` which will indicate a
+"level of conformance" for a given resource. We are picking profiles on a resource
+level because that is what makes sense for the project as of today. The initial decision
+to report conformance profiles on a per-resource level is a choice which may be re-evaluated
+by the NetworkPolicy API working group in the future. Using these `named profiles`,
+implementations can run the conformance tests, prove they satisfy the requirements for each profile,
+and receive conformance badges from the Network Policy API project.
+
+This NPEP aims to provide an API (CRD) for reporting results from these conformance
+tests. CLI tooling will also be provided for invoking the conformance tests with
+the profile names so that the results can be easily submitted back upstream.
+
+## User-Stories/Use-Cases
+
+Story 1: Receive an API conformance badge
+
+As a CNI maintainer, I want to receive recognition from Network Policy API subgroup
+that my plugin implements the `AdminNetworkPolicy` API. This badge will enable us
+to advertise upstream feature support in our plugin easily to our users.
+
+Story 2: Track Implementations for each API resource
+
+As a Network Policy project maintainer, I would like to easily track which
+implementations are using the defined API resources in our project so that it
+paves way for easier collaboration and feedback loops when changes are introduced
+to the API in each release.
+
+## API
+
+We will add a new API resource called `ConformanceReport` which will be at
+the center of our test result reporting workflow. The implementors running
+the tests can then:
+
+1. Choose a `named profile`
+2. Integrate the tests required by a given profile in their downstream project
+3. Report the results to Network Policy API project using this new API resource
+4. Get a conformance badge recognition via our official website
+
+## Profiles
+
+Named Profiles for Network Policy API project will be tied to each API resource.
+We will start with two named profiles and expand this as the project evolves.
+
+1. AdminNetworkPolicy
+2. BaselineAdminNetworkPolicy
+
+Each of these profiles may have a combination of conformance tests that fall under
+`CoreFeatures` and `ExtendedFeatures`. Example; if you pick the profile
+`AdminNetworkPolicy`, all tests like `AdminNetworkPolicyEgressSCTP` and
+`AdminNetworkPolicyPriorityField` fall under the `SupportAdminNetworkPolicy` feature
+which is under the `CoreFeatures` subset. So these tests must pass for the
+`AdminNetworkPolicy` profile conformance. Whereas tests (we don't have any today)
+that fall under `AdminNetworkPolicySameLabels` feature which is under the
+`ExtendedFeatures` subset are not mandatory for `AdminNetworkPolicy`
+profile conformance.
+
+## Integration
+
+The conformance profile test suite can be integrated, invoked and run from your implementation
+using two methods:
+
+* The `go test` CLI commands specifying the required information need to generate
+a conformance test report. Sample:
+```
+go test  -v ./conformance -run TestConformanceProfiles -args --conformance-profiles=AdminNetworkPolicy,BaselineAdminNetworkPolicy --organization=ovn-org -project=ovn-kubernetes -url=<project-url> -version=0.1.1 -contact=<> -additional-info=<link-to-implementation>
+```
+* Using the conformance profile test suite `TestConformanceProfiles` by directly customizing it by providing
+the correct arguments. Sample:
+```
+cpSuite := suite.NewConformanceProfileTestSuite(
+            suite.ConformanceProfileOptions{
+                    suite.Options: cSuiteDefaultOptions,
+                    Implementation: confv1alpha1.Implementation{
+                            Organization:          "ovn-org",
+                            Project:               "OVN-Kubernetes CNI",
+                            URL:                   "https://github.com/ovn-org/ovn-kubernetes",
+                            Version:               "0.1.1",
+                            Contact:               []string{"@tssurya"},
+                            AdditionalInformation: "https://github.com/ovn-org/ovn-kubernetes/blob/1c9f73dc8a755c07b22858c7404a7884970d1989/test/conformance/network_policy_v2_test.go"
+                    },
+                    ConformanceProfiles: sets.New(
+                            suite.ANPConformanceProfileName,
+                            suite.BANPConformanceProfileName,
+                    ),
+            })
+```
+
+## Reporting process and certification
+
+The reporting process is related to a specific API's version and channel (core and experimental).
+There are fields in the ConformanceReport CRD that includes such information. Any implementation
+can run the existing conformance test suite specifying the profiles they support and that will
+generate an output that looks like this:
+
+```
+    Conformance report:
+        apiVersion: policy.networking.k8s.io/v1alpha1
+        date: "2023-10-03T08:15:25+02:00"
+        implementation:
+          contact:
+          - "@tssurya"
+          organization: ovn-org
+          project: OVN-Kubernetes CNI
+          url: "https://github.com/ovn-org/ovn-kubernetes"
+          version: 0.1.1
+          additionalInformation: "https://github.com/ovn-org/ovn-kubernetes/blob/1c9f73dc8a755c07b22858c7404a7884970d1989/test/conformance/network_policy_v2_test.go"
+        kind: ConformanceReport
+        networkPolicyV2APIVersion: v0.1.1
+        profiles:
+        - core:
+            failedTests:
+            - AdminNetworkPolicyIngressSCTP
+            - AdminNetworkPolicyEgressUDP
+            result: failure
+            statistics:
+              Failed: 2
+              Passed: 5
+              Skipped: 0
+            summary: ""
+          name: AdminNetworkPolicy
+        - core:
+            result: success
+            statistics:
+              Failed: 0
+              Passed: 7
+              Skipped: 0
+            summary: ""
+          name: BaselineAdminNetworkPolicy
+```
+
+This can then be uploaded to network-policy-api/conformance/reports/v.x.x/cni-name.yaml by
+opening a PR. That will then be reviewed and approved by maintainers thus recognizing the
+implementations that are conformant. It is recommended for the implementations to use the
+`additionalInformation` field to provide links to the implementation or github actions or
+jenkins or any other CI/CD job definitions that helped generate this report. This will
+help maintainers make an informed decision on merging the report PR.
+
+## Alternatives
+
+N/A - We just went with what Gateway API project already has implemented without
+having to reinvent the wheel.
+
+## References
+
+1. https://github.com/kubernetes-sigs/network-policy-api/pull/142