Closed mvladev closed 4 years ago
CodeClinch
commented
5 years ago @mvladev I like your approach, but this would mean that a user has to label the namespace to get the policy. We would like to provide secure by default, which means even so the user forgets the label a network policy should be created. But may be we could at lease use a "black list" version.
mvladev
commented
5 years ago @CodeClinch if it should be applied to ALL namespaces than
spec:
namespaceSelector: {}can be used (it selects all namespaces) or
spec:
matchExpressions:
- key: role
operator: NotIn
values:
- system
- loggingselecting all namespaces, except for those labeled with role=system or role=logging.
This frees the end-user to customize the behavior it wants to have on its cluster.
CodeClinch
commented
5 years ago @mvladev thank you for your explanation. The strategy should be:
mvladev
commented
5 years ago The problem with #148 is that it applies the same network policy for ALL namespaces. There is no option to specify to which namespaces it applies to
marcrahnsap
commented
5 years ago The problem with #148 is that it applies the same network policy for ALL namespaces. There is no option to specify to which namespaces it applies to
We solved this problem with the annotation "karydia.gardener.cloud/networkPolicy". With that annotation you can specify the network policy on namespace level.
mvladev
commented
5 years ago We solved this problem with the annotation "karydia.gardener.cloud/networkPolicy". With that annotation you can specify the network policy on namespace level.
With this approach it's impossible to apply more than 1 Policy to a namespace:
marcrahnsap
commented
5 years ago We did not consider such a scenario where a karydia user wants to apply more than one network policy to a specific namespace. @CodeClinch what do you think about this idea?
CodeClinch
commented
5 years ago We should check again. There will be no additional network policy possible.
marcrahnsap
commented
5 years ago We decided to apply only one network policy per namespace, which will be maintained by karydia.
mvladev
commented
5 years ago I wish you luck with the adoption then.
dacappo
commented
5 years ago No customers, no problems 😂
CodeClinch
commented
4 years ago Currently, we support only one network policy. It should be possible to reconcile multiple.
Neumann-Nils
commented
4 years ago Wanted to give a preview of the upcoming changes regarding multiple network policies.
We are going to support multiple network policies (see #241). One can define multiple network policies using a ;-separated syntax. For example:
karydia-default-network-policy;karydia-default-network-policy-l2;karydia-default-network-policy-l3Moreover, one can specify which network policies should apply to which namespace by adding the karydia.gardener.cloud/networkPolicy annotation (using the same ;-separated syntax) to each namespace.
Surely, this implementation is different than the idea proposed by @mvladev. However, I believe that this is a rather simple solution to the problem and should fulfill all requirements. There are some advantages and disadvantages for both approaches.
Description
Right now end-users cannot specify in which namespaces their policies are deployed into.
User Story
End user creates network policy called
foowhich needs to deployed in namespaced labeled withfoo-policy=enabled[OPTIONAL] Implementation idea
Introduce a new resource called
KarydiaNetworkPolicywhich contains bothNetworkPolicyTemplateandNamespaceselector:Given that end-user has a namespace:
This should produce the following
NetworkPolicyin namespacesome-namespace: