NPEP: Iron out Egress Support API Design

Signed-off-by: Surya Seetharaman <[email protected]>

npep/npep-126-egress-traffic-control.md

@@ -1,7 +1,7 @@
 # NPEP-126: Add northbound traffic support in (B)ANP API
 
 * Issue: [#126](https://github.com/kubernetes-sigs/network-policy-api/issues/126)
-* Status: Provisional
+* Status: Implementable
 
 ## TLDR
 
@@ -76,8 +76,91 @@ selected cluster workloads to k8s-apiservers for securing the server.
 
 ## API
 
-(... details, can point to PR with changes)
-
+Proof of Concept for the API design details can be found here: https://github.com/kubernetes-sigs/network-policy-api/pull/143
+
+### Implementing egress traffic control towards cluster nodes
+
+This NPEP proposes to add a new type of `AdminNetworkPolicyPeer` called `Nodes`
+to be able to explicitly select nodes (based on the node's labels) in the cluster.
+
+TODO: Come up with an API Validation to ensure this cannot be set for ingress rules
+
+```
+// AdminNetworkPolicyPeer defines an in-cluster peer to allow traffic to/from.
+// Exactly one of the selector pointers must be set for a given peer. If a
+// consumer observes none of its fields are set, they must assume an unknown
+// option has been specified and fail closed.
+// +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
+type AdminNetworkPolicyPeer struct {
+    <snipped>
+	// Nodes defines a way to select a set of nodes in
+	// in the cluster. This field follows standard label selector
+	// semantics; if present but empty, it selects all Nodes.
+	// +optional
+	Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
+}
+```
+
+Example:
+
+<blah>
+
+### Implementing egress traffic control towards external destinations
+
+This NPEP proposes to add a new type of `AdminNetworkPolicyPeer` called `ExternalNetworks`
+to be able to explicitly select external destinations (based on the externalNetworkSet's
+labels) in the cluster.
+
+TODO: Come up with an API Validation to ensure this cannot be set for ingress rules
+
+```
+// AdminNetworkPolicyPeer defines an in-cluster peer to allow traffic to/from.
+// Exactly one of the selector pointers must be set for a given peer. If a
+// consumer observes none of its fields are set, they must assume an unknown
+// option has been specified and fail closed.
+// +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
+type AdminNetworkPolicyPeer struct {
+    <snipped>
+	// ExternalNetworks defines a way to select ExternalNetworkSets
+	// that consist of network CIDRs that live outside the cluster as a peer.
+	// This field follows standard label selector semantics; if present
+	// but empty, it selects all ExternalNetworkSets defined in the cluster.
+	// +optional
+	ExternalNetworks *metav1.LabelSelector `json:"externalNetworks,omitempty"`
+}
+```
+
+An `externalNetworkSet` is a new object used to define a set of networks outside
+the cluster.
+
+```
+// ExternalNetworkSet is a cluster level resource that is used to define
+// a set of networks outsides the cluster which can be referred to from
+// the AdminNetworkPolicy && BaselineAdminNetworkPolicy APIs as an external peer
+type ExternalNetworkSet struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata"`
+
+	// Specification of the desired behavior of ExternalNetworkSet.
+	Spec ExternalNetworkSetSpec `json:"spec"`
+}
+
+// ExternalNetworkSetSpec defines the desired state of ExternalNetworkSet.
+type ExternalNetworkSetSpec struct {
+	// Networks is the list of NetworkCIDR (both v4 & v6) that can be used to define
+	// external destinations.
+	// A total of 100 CIDRs will be allowed in each NetworkSet instance.
+	// ANP & BANP APIs may use the .spec.in(e)gress.from(to).externalNetworks selector
+	// to select a set of external networks
+	// +optional
+	// +kubebuilder:validation:MaxItems=100
+	Networks []string `json:"networks,omitempty" validate:"omitempty,dive,cidr"`
+}
+```
+
+Example:
 
 ## Alternatives