search

k8snetworkplumbingwg / multi-networkpolicy-iptables

MultiNetworkPolicy iptable based implementation
Apache License 2.0
13 stars 19 forks source link

Enhancement: support wildcards in k8s.v1.cni.cncf.io/policy-for #41

Open fpoirotte opened 1 year ago

fpoirotte commented 1 year ago

Hi,

In my use case, I have a lot of NetworkAttachmentDefinition objets (named net1, net2, and so on). It is tedious very tedious to list each object the policy applies to in the annotation. Instead, I would like to be able to write something like:

apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
  name: default-deny
  namespace: mysubnet
  annotations:
    k8s.v1.cni.cncf.io/policy-for: net*
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

and have the policy apply to every NetworkAttachmentDefinition matching the given pattern.

In case this is too complex to implement, would it be possible to match NetworkAttachmentDefinition objects using labels instead of their name? (similar to what's done in NetworkPolicy to match namespaces using spec.ingress[].from[].namespaceSelector.matchLabels)

s1061123 commented 1 year ago

Sorry for reply @fpoirotte . Thank you so much for the issue.

Hmm... That could be a idea. Currently MultiNetworkPolicy is still in development (as version 'v1beta1'), so it could be an idea for next version. Let me think about it more.