Skip to content

Commit a0b7967

Browse files
committedSep 24, 2023
NPEP: Iron out Egress Support API Design
Signed-off-by: Surya Seetharaman <[email protected]>
1 parent 639f674 commit a0b7967

File tree

1 file changed

+86
-3
lines changed

1 file changed

+86
-3
lines changed
 

‎npep/npep-126-egress-traffic-control.md

+86-3
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# NPEP-126: Add northbound traffic support in (B)ANP API
22

33
* Issue: [#126](https://github.com/kubernetes-sigs/network-policy-api/issues/126)
4-
* Status: Provisional
4+
* Status: Implementable
55

66
## TLDR
77

@@ -76,8 +76,91 @@ selected cluster workloads to k8s-apiservers for securing the server.
7676

7777
## API
7878

79-
(... details, can point to PR with changes)
80-
79+
Proof of Concept for the API design details can be found here: https://github.com/kubernetes-sigs/network-policy-api/pull/143
80+
81+
### Implementing egress traffic control towards cluster nodes
82+
83+
This NPEP proposes to add a new type of `AdminNetworkPolicyPeer` called `Nodes`
84+
to be able to explicitly select nodes (based on the node's labels) in the cluster.
85+
86+
TODO: Come up with an API Validation to ensure this cannot be set for ingress rules
87+
88+
```
89+
// AdminNetworkPolicyPeer defines an in-cluster peer to allow traffic to/from.
90+
// Exactly one of the selector pointers must be set for a given peer. If a
91+
// consumer observes none of its fields are set, they must assume an unknown
92+
// option has been specified and fail closed.
93+
// +kubebuilder:validation:MaxProperties=1
94+
// +kubebuilder:validation:MinProperties=1
95+
type AdminNetworkPolicyPeer struct {
96+
<snipped>
97+
// Nodes defines a way to select a set of nodes in
98+
// in the cluster. This field follows standard label selector
99+
// semantics; if present but empty, it selects all Nodes.
100+
// +optional
101+
Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
102+
}
103+
```
104+
105+
Example:
106+
107+
<blah>
108+
109+
### Implementing egress traffic control towards external destinations
110+
111+
This NPEP proposes to add a new type of `AdminNetworkPolicyPeer` called `ExternalNetworks`
112+
to be able to explicitly select external destinations (based on the externalNetworkSet's
113+
labels) in the cluster.
114+
115+
TODO: Come up with an API Validation to ensure this cannot be set for ingress rules
116+
117+
```
118+
// AdminNetworkPolicyPeer defines an in-cluster peer to allow traffic to/from.
119+
// Exactly one of the selector pointers must be set for a given peer. If a
120+
// consumer observes none of its fields are set, they must assume an unknown
121+
// option has been specified and fail closed.
122+
// +kubebuilder:validation:MaxProperties=1
123+
// +kubebuilder:validation:MinProperties=1
124+
type AdminNetworkPolicyPeer struct {
125+
<snipped>
126+
// ExternalNetworks defines a way to select ExternalNetworkSets
127+
// that consist of network CIDRs that live outside the cluster as a peer.
128+
// This field follows standard label selector semantics; if present
129+
// but empty, it selects all ExternalNetworkSets defined in the cluster.
130+
// +optional
131+
ExternalNetworks *metav1.LabelSelector `json:"externalNetworks,omitempty"`
132+
}
133+
```
134+
135+
An `externalNetworkSet` is a new object used to define a set of networks outside
136+
the cluster.
137+
138+
```
139+
// ExternalNetworkSet is a cluster level resource that is used to define
140+
// a set of networks outsides the cluster which can be referred to from
141+
// the AdminNetworkPolicy && BaselineAdminNetworkPolicy APIs as an external peer
142+
type ExternalNetworkSet struct {
143+
metav1.TypeMeta `json:",inline"`
144+
metav1.ObjectMeta `json:"metadata"`
145+
146+
// Specification of the desired behavior of ExternalNetworkSet.
147+
Spec ExternalNetworkSetSpec `json:"spec"`
148+
}
149+
150+
// ExternalNetworkSetSpec defines the desired state of ExternalNetworkSet.
151+
type ExternalNetworkSetSpec struct {
152+
// Networks is the list of NetworkCIDR (both v4 & v6) that can be used to define
153+
// external destinations.
154+
// A total of 100 CIDRs will be allowed in each NetworkSet instance.
155+
// ANP & BANP APIs may use the .spec.in(e)gress.from(to).externalNetworks selector
156+
// to select a set of external networks
157+
// +optional
158+
// +kubebuilder:validation:MaxItems=100
159+
Networks []string `json:"networks,omitempty" validate:"omitempty,dive,cidr"`
160+
}
161+
```
162+
163+
Example:
81164

82165
## Alternatives
83166

0 commit comments

Comments
 (0)