Closed mvladev closed 4 years ago
@mvladev I like your approach, but this would mean that a user has to label the namespace to get the policy. We would like to provide secure by default, which means even so the user forgets the label a network policy should be created. But may be we could at lease use a "black list" version.
@CodeClinch if it should be applied to ALL namespaces than
spec:
namespaceSelector: {}
can be used (it selects all namespaces) or
spec:
matchExpressions:
- key: role
operator: NotIn
values:
- system
- logging
selecting all namespaces, except for those labeled with role=system
or role=logging
.
This frees the end-user to customize the behavior it wants to have on its cluster.
@mvladev thank you for your explanation. The strategy should be:
The problem with #148 is that it applies the same network policy for ALL namespaces. There is no option to specify to which namespaces it applies to
The problem with #148 is that it applies the same network policy for ALL namespaces. There is no option to specify to which namespaces it applies to
We solved this problem with the annotation "karydia.gardener.cloud/networkPolicy". With that annotation you can specify the network policy on namespace level.
We solved this problem with the annotation "karydia.gardener.cloud/networkPolicy". With that annotation you can specify the network policy on namespace level.
With this approach it's impossible to apply more than 1 Policy to a namespace:
We did not consider such a scenario where a karydia user wants to apply more than one network policy to a specific namespace. @CodeClinch what do you think about this idea?
We should check again. There will be no additional network policy possible.
We decided to apply only one network policy per namespace, which will be maintained by karydia.
I wish you luck with the adoption then.
No customers, no problems 😂
Currently, we support only one network policy. It should be possible to reconcile multiple.
Wanted to give a preview of the upcoming changes regarding multiple network policies.
We are going to support multiple network policies (see #241). One can define multiple network policies using a ;
-separated syntax. For example:
karydia-default-network-policy;karydia-default-network-policy-l2;karydia-default-network-policy-l3
Moreover, one can specify which network policies should apply to which namespace by adding the karydia.gardener.cloud/networkPolicy
annotation (using the same ;
-separated syntax) to each namespace.
Surely, this implementation is different than the idea proposed by @mvladev. However, I believe that this is a rather simple solution to the problem and should fulfill all requirements. There are some advantages and disadvantages for both approaches.
Description
Right now end-users cannot specify in which namespaces their policies are deployed into.
User Story
End user creates network policy called
foo
which needs to deployed in namespaced labeled withfoo-policy=enabled
[OPTIONAL] Implementation idea
Introduce a new resource called
KarydiaNetworkPolicy
which contains bothNetworkPolicyTemplate
andNamespace
selector:Given that end-user has a namespace:
This should produce the following
NetworkPolicy
in namespacesome-namespace
: