NetworkPolicy with Incorrect apiVersion

[linuxbsdfreak]

Description

The default network policy installed by Karydia has the following yaml

apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  annotations:
    karydia.gardener.cloud/networkPolicy.internal: config/karydia-default-network-policy
  creationTimestamp: "2019-09-18T06:39:27Z"
  generation: 1
  name: karydia-default-network-policy
  namespace: monitoring
  resourceVersion: "102916414"
  selfLink: /apis/extensions/v1beta1/namespaces/monitoring/networkpolicies/karydia-default-network-policy
  uid: 759af762-dbe9-4e91-8a2a-4f00ee8cd589
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.250.0.0/16
        - 169.254.169.254/16
        - 100.100.0.0/16
  podSelector: {}
  policyTypes:
  - Egress

Please change the apiVersion to the one given below.

apiVersion: networking.k8s.io/v1

Environment

• Kubernetes version (use kubectl version):
• Cloud provider or hardware configuration:
• [X] Gardener cluster
• OS (e.g. cat /etc/os-release OR sw_vers):
• Kernel (e.g. uname -a):
• Others:

[Neumann-Nils]

For reference see https://kubernetes.io/docs/concepts/services-networking/network-policies/.

[Neumann-Nils]

I had a look into the versioning of the NetworkPolicy created by Karydia.

We use the package k8s.io/api/networking/v1 provided by Kubernetes, which creates the NetworkPolicy. I could not find an error in our implementation.

However, when observing the bug on a Cluster created by Gardener I noticed that on different versions the NetworkPolicy has different apiVersions. Using a cluster with version 1.15.4 it yields VERSION: extensions/v1beta1 and a cluster with version 1.16.1 yields VERSION: networking.k8s.io/v1. That is why I believe that the implementation is correct and with a version upgrade of the cluster the NetworkPolicy will be created with the correct apiVersion (probably).

Keep in mind that Helm has currently a bug that does not allow it to be used with version 1.16 (see https://github.com/karydia/karydia/issues/223) and that is why I could not test it entirely.

I will close this issue for now and will re-evaluate my findings when the bug in Helm is fixed (probably within the next 2 weeks).

To reproduce my tests do the following:

1. Create a cluster with version 1.15.4
2. Run kubectl explain NetworkPolicy:

   
   KIND:     NetworkPolicy
   VERSION:  extensions/v1beta1

DESCRIPTION: DEPRECATED 1.9 - This group version of NetworkPolicy is deprecated by networking/v1/NetworkPolicy. NetworkPolicy describes what network traffic is allowed for a set of Pods

FIELDS: apiVersion APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources

kind Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds

metadata