diff --git a/npep/npep-126-egress-traffic-control.md b/npep/npep-126-egress-traffic-control.md index 530df79b..b675150b 100644 --- a/npep/npep-126-egress-traffic-control.md +++ b/npep/npep-126-egress-traffic-control.md @@ -1,7 +1,7 @@ # NPEP-126: Add northbound traffic support in (B)ANP API * Issue: [#126](https://github.com/kubernetes-sigs/network-policy-api/issues/126) -* Status: Provisional +* Status: Implementable ## TLDR @@ -76,8 +76,91 @@ selected cluster workloads to k8s-apiservers for securing the server. ## API -(... details, can point to PR with changes) - +Proof of Concept for the API design details can be found here: https://github.com/kubernetes-sigs/network-policy-api/pull/143 + +### Implementing egress traffic control towards cluster nodes + +This NPEP proposes to add a new type of `AdminNetworkPolicyPeer` called `Nodes` +to be able to explicitly select nodes (based on the node's labels) in the cluster. + +TODO: Come up with an API Validation to ensure this cannot be set for ingress rules + +``` +// AdminNetworkPolicyPeer defines an in-cluster peer to allow traffic to/from. +// Exactly one of the selector pointers must be set for a given peer. If a +// consumer observes none of its fields are set, they must assume an unknown +// option has been specified and fail closed. +// +kubebuilder:validation:MaxProperties=1 +// +kubebuilder:validation:MinProperties=1 +type AdminNetworkPolicyPeer struct { + + // Nodes defines a way to select a set of nodes in + // in the cluster. This field follows standard label selector + // semantics; if present but empty, it selects all Nodes. + // +optional + Nodes *metav1.LabelSelector `json:"nodes,omitempty"` +} +``` + +Example: + + + +### Implementing egress traffic control towards external destinations + +This NPEP proposes to add a new type of `AdminNetworkPolicyPeer` called `ExternalNetworks` +to be able to explicitly select external destinations (based on the externalNetworkSet's +labels) in the cluster. + +TODO: Come up with an API Validation to ensure this cannot be set for ingress rules + +``` +// AdminNetworkPolicyPeer defines an in-cluster peer to allow traffic to/from. +// Exactly one of the selector pointers must be set for a given peer. If a +// consumer observes none of its fields are set, they must assume an unknown +// option has been specified and fail closed. +// +kubebuilder:validation:MaxProperties=1 +// +kubebuilder:validation:MinProperties=1 +type AdminNetworkPolicyPeer struct { + + // ExternalNetworks defines a way to select ExternalNetworkSets + // that consist of network CIDRs that live outside the cluster as a peer. + // This field follows standard label selector semantics; if present + // but empty, it selects all ExternalNetworkSets defined in the cluster. + // +optional + ExternalNetworks *metav1.LabelSelector `json:"externalNetworks,omitempty"` +} +``` + +An `externalNetworkSet` is a new object used to define a set of networks outside +the cluster. + +``` +// ExternalNetworkSet is a cluster level resource that is used to define +// a set of networks outsides the cluster which can be referred to from +// the AdminNetworkPolicy && BaselineAdminNetworkPolicy APIs as an external peer +type ExternalNetworkSet struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata"` + + // Specification of the desired behavior of ExternalNetworkSet. + Spec ExternalNetworkSetSpec `json:"spec"` +} + +// ExternalNetworkSetSpec defines the desired state of ExternalNetworkSet. +type ExternalNetworkSetSpec struct { + // Networks is the list of NetworkCIDR (both v4 & v6) that can be used to define + // external destinations. + // A total of 100 CIDRs will be allowed in each NetworkSet instance. + // ANP & BANP APIs may use the .spec.in(e)gress.from(to).externalNetworks selector + // to select a set of external networks + // +optional + // +kubebuilder:validation:MaxItems=100 + Networks []string `json:"networks,omitempty" validate:"omitempty,dive,cidr"` +} +``` + +Example: ## Alternatives