kubernetes-sigs / network-policy-api

This repo addresses further work involving Kubernetes network security beyond the initial NetworkPolicy resource
Apache License 2.0
56 stars 32 forks source link

Network Policy API use cases #88

Closed Ingvord closed 1 day ago

Ingvord commented 1 year ago

Following up on the meeting on Apr, 25th here are some use cases, that might be interesting for consideration when thinking about NP API, egress controllers etc

Suppose we have a K8s cluster that hosts a bunch of applications. Suppose those applications provide user interface to scientific instruments. Scientific instruments are essentially a bunch of hardware, for simplicity let's assume they are just network entry points, listening on TCP fo some predefined commands. Applications in K8s and that hardware lives in different networks.

What be super useful is to ability in a declarative way to restrict applications to access only specific hardware. Say I have applications A1 and A1 and my hardware is X, Y, Z. I want A1 to be able to access X, Y and A2 -- Y, Z.

Communication is bidirectional i.e. X may push updates to applications, while Y, Z can be only polled.

I recall we discussed this scenario within the scope of egress controller, but I may be mistaken.

Hope this whole story makes any sense at all.

tssurya commented 1 year ago

thanks @Ingvord for opening a new issue!

What be super useful is to ability in a declarative way to restrict applications to access only specific hardware. Say I have applications A1 and A1 and my hardware is X, Y, Z. I want A1 to be able to access X, Y and A2 -- Y, Z.

yes I think these do fall under the user stories that I am defining for egress control (northbound), see https://github.com/kubernetes-sigs/network-policy-api/pull/86/files -> the replies from hardware to pods will be guaranteed here if there are allows in place since most of plugins do stateful connections

Now if we wanted to do the reverse which is restrict incoming traffic that originates at the hardware components outside the cluster towards applications say X&Y can only talk to A1 and Y&Z can only talk to A2 that falls under the ingress use case (southbound) which we haven't designed yet.

k8s-triage-robot commented 9 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

tssurya commented 9 months ago

/remove-lifecycle stale

tssurya commented 9 months ago

/assign @tssurya

k8s-triage-robot commented 6 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 5 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

astoycos commented 5 months ago

/remove-lifecycle rotten

k8s-triage-robot commented 2 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 1 month ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 1 day ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot commented 1 day ago

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes-sigs/network-policy-api/issues/88#issuecomment-2466836750): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.