Implementation of Kubernetes Network Policies:
There are two manifest in the current repository:
kubectl apply -f install.yamlkubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/network-policy-api/v0.1.5/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/network-policy-api/v0.1.5/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yamland then install the daemonset enabling the features with the corresponding flags:
kubectl apply -f install-anp.yamlTo install kube-network-policies via Helm run:
helm install kube-network-policies -n kube-system charts/kube-network-policiesAdmin Network Policies and Baseline Admin Network Policies features are controlled by Values.adminNetworkPolicy and
they are enabled by default. Disable them if needed in values.yaml or use --set adminNetworkPolicy=false when running
helm install command.
NOTE: the corresponding CRDs must be installed first.
Prometheus metrics are exposed on the address defined by the flag
-metrics-bind-address string
The IP address and port for the metrics server to serve on (default ":9080")Current implemented metrics are:
Network policies are hard to implement efficiently and in large clusters this is translated to performance and scalability problems.
Most of the existing implementations use the same approach of processing the APIs and transforming them in the corresponding dataplane implementation: iptables, nftables, ebpf or ovs, ...
This project takes a different approach. It uses the NFQUEUE functionality implemented in netfilter to process the first packet of each connection (or udp flows) in userspace and emit a verdict. The advantage is that the dataplane implementation does not need to represent all the complex logic, allowing it to scale better. The disadvantage is that we need to pass each new connection packet through userspace. Subsequent packets are accepted via a "ct state established,related accept" rule.
For performance only the Pods selected by network policies will be queued to user space and thus absorb the first packet perf hit.
See TESTING
There are two github workflows that runs e2e tests aginst the Kubernetes/Kubernetes Network Policy tests and the Network Policy API Working Group conformance tests.
This project was created to fill the gap on testing coverage in the area of Network Policies. There are limited existing solutions, but those are specific to individual network providers that require to install additional functionality, adding complexity and debugging difficulty, and not allowing to iterate fast during the development of new features.
Ref: https://github.com/kubernetes/org/issues/4856
This is an Open Source project maintained by the community with a best-effort support model, contributions aligned with the current project scope, feedback and bugs reports are very welcome.
P0: Support Testing Kubernetes
Stakeholders: SIG Network, SIG Testing, SIG Scalability, SIG Release, Network Policy API Working Group Covered Work: e2e testing, scalability, performance and reliability
P0: Provide Early Feedback
Stakeholders: SIG Network, Network Policy API Working Group Covered: New features implemented under feature gates for fast iteraton
Implementing functionality that is not part of an official or proposed Kubernetes network policy API
Learn how to engage with the Kubernetes community on the community page.
You can reach the maintainers of this project at:
Participation in the Kubernetes community is governed by the Kubernetes Code of Conduct.