search

kubernetes-sigs / network-policy-api

This repo addresses further work involving Kubernetes network security beyond the initial NetworkPolicy resource
Apache License 2.0
50 stars 28 forks source link

[ENHANCEMENT] Use Cases for wanting Egress CIDR Peers as an external object #182

Open tssurya opened 7 months ago

tssurya commented 7 months ago

Is your enhancement request related to a problem? Please describe.

Use case by @joestringer

As a cluster administrator I want to to ensure that pods can reach commonly-used databases under my control but outside Kubernetes. Many but not all applications in my environment rely on these databases. I want to delegate writing network policy for this traffic to namespace owners. Example: As a cluster administrator I define a CIDR group that defines a set of RDS instances that is used across multiple apps. The owners of namespaceA and namespaceB can then define policies that allow traffic to this group of RDS instances, and they reference the instances by CIDR group. As a cluster administrator I can migrate the database infrastructure and update the CIDR group independently of the namespace owners. The applications in namespaceC do not use this infrastructure, so the cluster administrator and the owners of namespaceC do not need to think about network policy for apps in namespaceC.

https://github.com/kubernetes-sigs/network-policy-api/pull/144#discussion_r1412642770

@networkop also mentions

Another use case could be a cluster controller that watches external resources (e.g. via cloud API or BGP) and updates the CIDR object with the changes. In this case, the controller only needs enough RBAC rules to update CIDR object and would not need touch the ANP itself

Describe the solution you'd like Have CIDR peers as an external object (in addition to the default inlined one https://github.com/kubernetes-sigs/network-policy-api/pull/144 is proposing?) Makes it more extendable.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context See https://github.com/kubernetes-sigs/network-policy-api/pull/144#discussion_r1412642770 for details

tssurya commented 7 months ago

/assign @tssurya

tssurya commented 7 months ago

I think we are getting some solid use cases for this. I will open a new NPEP as discussed in previous net pol meeting to take this forward.

k8s-triage-robot commented 4 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 3 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

tssurya commented 3 months ago

/remove-lifecycle rotten /remove-lifecycle stale

k8s-triage-robot commented 4 days ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale