Open danehans opened 9 months ago
This should also support egress restrictions based on FQDN / domain names in addition to CIDR ranges in AdminNetworkPolicy as per NPEP-133. Specifying static IPs of services is very brittle if they're hosted in a cloud environment as they can often change.
Example:
apiVersion: policy.networking.k8s.io/v1alpha1
kind: AdminNetworkPolicy
metadata:
name: allow-my-service-egress
spec:
priority: 55
subject:
namespaces:
matchLabels:
kubernetes.io/metadata.name: "monitoring"
egress:
- name: "allow-to-my-service"
action: "Allow"
to:
- domainNames:
- "my-service.com"
- "*.cloud-provider.io"
ports:
- portNumber:
protocol: TCP
port: 443
Community Note
Tell us about your request Add native Kubernetes AdminNetworkPolicy API support to the VPC CNI plugin.
Which service(s) is this request for? EKS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? I'm looking for the default EKS networking plugin to implement the Kubernetes AdminNetworkPolicy API, so I can run secure, zero-trust multi-tenant clusters. The Kubernetes Network Policy v1 API does not meet my requirements, specifically user stories 1 and 2 from the upstream user stories.
Are you currently working around this issue? Replacing the VPC CNI plugin with OVN Kubernetes.
Additional context Several other CNI implementations plan to support the AdminNetworkPolicy API.