Closed Ingvord closed 1 week ago
thanks @Ingvord for opening a new issue!
What be super useful is to ability in a declarative way to restrict applications to access only specific hardware. Say I have applications A1 and A1 and my hardware is X, Y, Z. I want A1 to be able to access X, Y and A2 -- Y, Z.
yes I think these do fall under the user stories that I am defining for egress control (northbound), see https://github.com/kubernetes-sigs/network-policy-api/pull/86/files -> the replies from hardware to pods will be guaranteed here if there are allows in place since most of plugins do stateful connections
Now if we wanted to do the reverse which is restrict incoming traffic that originates at the hardware components outside the cluster towards applications say X&Y can only talk to A1 and Y&Z can only talk to A2 that falls under the ingress use case (southbound) which we haven't designed yet.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale
/assign @tssurya
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
/remove-lifecycle rotten
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/reopen
/remove-lifecycle rotten
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
Following up on the meeting on Apr, 25th here are some use cases, that might be interesting for consideration when thinking about NP API, egress controllers etc
Suppose we have a K8s cluster that hosts a bunch of applications. Suppose those applications provide user interface to scientific instruments. Scientific instruments are essentially a bunch of hardware, for simplicity let's assume they are just network entry points, listening on TCP fo some predefined commands. Applications in K8s and that hardware lives in different networks.
What be super useful is to ability in a declarative way to restrict applications to access only specific hardware. Say I have applications A1 and A1 and my hardware is X, Y, Z. I want A1 to be able to access X, Y and A2 -- Y, Z.
Communication is bidirectional i.e. X may push updates to applications, while Y, Z can be only polled.
I recall we discussed this scenario within the scope of egress controller, but I may be mistaken.
Hope this whole story makes any sense at all.