search

jayunit100 / network-policy-subproject

A starter repo to donate to Kubernetes-sigs so the community can own and iterate on stories over time, with issue tracking, as we close out the policy++ wg
13 stars 12 forks source link

clarify CIDR rules story... #10

Closed jayunit100 closed 4 years ago

jayunit100 commented 4 years ago 
  @cmluciano
cmluciano 1 hour ago  Author  Collaborator
I do not understand what the desired outcome is.

If CIDR rules are present within the cluster and are in use, than I'm not sure what the desired change in this story would be.

How do we develop a trust with newly added nodes or CIDRs if an outside controller is just adding whatever new information it sees from the API? This feels like a security hole if we're already using CIDRs within our cluster.
  @rikatz
rikatz 1 hour ago  Collaborator
This is related to https://docs.google.com/document/d/1AtWQy2fNa4qXRag9cCp5_HsefD7bxKe3ea2RPn8jnSs/edit#heading=h.ajvcztp6cza and my understanding here is creating maybe an object that groups a block of CIDR and then referencing those CIDR in the Network Policy (@jayunit100 is this the idea?).

I've been thinking about this approach, I think it makes more sense in the 'Ports' object, where I want to create a PortSet containing ports 80, 443, 8443, call it HTTPPorts and use this instead of a multiport in a network policy
jayunit100 commented 4 years ago

/assign @cmluciano