- 
                Notifications
    You must be signed in to change notification settings 
- Fork 39
Update ports to protocols #326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
| ✅ Deploy Preview for kubernetes-sigs-network-policy-api ready!
 To edit notification comments on pull requests, go to your Netlify project configuration. | 
| // +kubebuilder:default=TCP | ||
| Protocol corev1.Protocol `json:"protocol,omitempty"` | ||
|  | ||
| // Specific port to match against. | ||
| // | ||
| // +optional | ||
| Port *ClusterNetworkPolicyPort `json:"port,omitempty"` | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is Protocol defaulted if Port is nil? I'm confused on how this will work since Port is optional
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See CEL validation : TCP => need to set port.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm assuming the order will be default and then validate, but have to check.
| nice! instead of is there any special reason for it? I think we wanted to have new embedded fields for non-port-based protocols, like  | 
| I was looking at some of the other Kubernetes APIs -- and this nesting seems to be more natural, as we are using the string prefix as a grouping instead of nesting, which is more explicit. From a future-proofing perspective and validation perspective, it feels like nesting might be the right choice: Here is what each variant would look like, it doesn't look that bad? I'm happy to change it to the other one -- maybe let's quickly discuss this in the meeting to see what others think. | 
| The goal from the KubeCon notes was "Make TCP and UDP easy to write and easy to read. Make ICMP and named ports possible." So protocols:
  - port: 80is nice because it's very easy for the user. But as we also said in the KubeCon notes, it "[makes] the structs more complicated to make the YAML nicer", and it will make it really hard to understand the  I feel like people use ports too much in NetworkPolicies anyway, so I don't really object to making them more annoying to use. 🙂 | 
| // to TCP. | ||
| // | ||
| // +kubebuilder:default=TCP | ||
| Protocol corev1.Protocol `json:"protocol,omitempty"` | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm... this preserves the existing "bug" where you can specify
protocols:
  - protocol: TCP
    port:
      name: foo
where the "TCP" is either redundant or incorrect. Named ports should not have an explicitly-specified protocol.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think (!(has(self.Port) && has(self.Port.Name)) || self.Protocol == '') would cover this case?
There is a slight problem in that we can only generate this validation for experimental fields.
| I can live with either or It's nice that the latter doesn't have several fields with same prefix, which would be a bit of a smell. But, it has the downside that it takes three lines of YAML to specify a single port instead of two. | 
| 
 
 | 
| 
 Did we decide that in the end, I know it's the case for NetPol but ISTR that we wanted explicit for A/CNP | 
| the notes from kubecon say 
 which I guess addresses my comment above about named ports too... (but the validation and defaulting in this patch need to be updated if that's what we're going with) | 
| Sounds like people are mostly ok with either choice, in which case, my recommendation is to go with the one proposed here and then people can play around with it to figure out if there is a significant drawback we haven't thought of? | 
545253d    to
    25b0733      
    Compare
  
    | [APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: bowei The full list of commands accepted by this bot can be found here. 
Needs approval from an approver in each of these files:
 Approvers can indicate their approval by writing  | 
25b0733    to
    10bc1ba      
    Compare
  
    This change implements the update to the API: kubernetes-sigs/network-policy-api#326
| // +kubebuilder:validation:MinItems=1 | ||
| // +kubebuilder:validation:MaxItems=25 | ||
| Ports *[]ClusterNetworkPolicyPort `json:"ports,omitempty"` | ||
| // +kubebuilder:validation:MaxItems=100 | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
revert maxItems back t0 25?
| // +kubebuilder:validation:MaxItems=25 | ||
| Ports *[]ClusterNetworkPolicyPort `json:"ports,omitempty"` | ||
| // +kubebuilder:validation:MaxItems=100 | ||
| Protocols *[]ClusterNetworkPolicyProtocol `json:"protocols,omitempty"` | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we want to get rid of the pointer to slice at the same time?
Makes the `ports` clause a more generic `protocols` block to allow for
future expansion.
Example
```yaml
apiVersion: policy.networking.k8s.io/v1alpha2
kind: ClusterNetworkPolicy
metadata:
  name: pub-svc-delegate-example
spec:
  tier: Admin
  priority: 20
  subject:
    namespaces: {}
  egress:
  - action: Pass
    to:
    - pods:
        namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: bar-ns-1
        podSelector:
          matchLabels:
            app: svc-pub
    protocols:            #<
    - protocol: TCP       #<
      port:               #<
        number: 8080      #<
```
Another example:
```
protocols:
- protocol: TCP
  port:
    range:
      start: 1000
      end: 2000
- protocol: UDP
  port:
    number: 53
```
Ref: kubernetes-sigs#187
    This allows a user to run the github workflow manually without github
10bc1ba    to
    2cd7824      
    Compare
  
    | @bowei: The following test failed, say  
 Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. | 
Makes the
portsclause a more genericprotocolsblock to allow for future expansion.Example
Another example:
Ref: #187