CNP: update docs to use CNP instead of ANP and BANP #333
Conversation
✅ Deploy Preview for kubernetes-sigs-network-policy-api ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/L
site-src/api-overview.md
Outdated
| main drawbacks to this API was that it was designed exclusively for use by the | ||
| Application Developer, although in reality it is used by many different cluster | ||
| personas, sometimes creating a complex web of objects to be maintained. In | ||
| Contrast, each resource in the Network Policy API is designed to be used by a |
There was a problem hiding this comment.
[minor] don't capitalize Contrast.
site-src/api-overview.md
Outdated
| The `Baseline` tier will allow administrators to set baseline security rules that | ||
| describe default connectivity for cluster workloads, which CAN be overridden by | ||
| developer NetworkPolicies if needed. | ||
| The major use case BANPs solve is the ability to flip the [default security stance of the |
There was a problem hiding this comment.
BANPs don't exist.
Suggest "The major use case for Baseline tier is to set a default security stance..."
site-src/api-overview.md
Outdated
| cluster](user-stories.md#story-5-cluster-wide-default-guardrails). | ||
|
|
||
| ### AdminNetworkPolicy Actions | ||
| ### ClusterNetworkPolicy Actions |
There was a problem hiding this comment.
Suggest just leave this as ### Actions
There was a problem hiding this comment.
I edited all headers to remote the CNP from it, it probably was only important when we had ANP vs BANP
| traffic, AdminNetworkPolicies will enable administrators to set `Pass`, | ||
| `Deny` or `Allow` as the action of each rule. AdminNetworkPolicy rules should | ||
| traffic, ClusterNetworkPolicy will enable administrators to set `Pass`, | ||
| `Deny` or `Accept` as the action of each rule. ClusterNetworkPolicy rules should |
There was a problem hiding this comment.
[minor] the sentence "ClusterNetworkPolicy rules should be read as-is..." is confusing for me, but we don't have to fix this for this PR.
site-src/api-overview.md
Outdated
| AdminNetworkPolicy `Pass` rules allow an admin to delegate security posture for | ||
| ClusterNetworkPolicy `Pass` rules in the `Admin` tier allow an admin to delegate security posture for | ||
| certain traffic to the Namespace owners by overriding any lower precedence Allow | ||
| or Deny rules. For example, intra-tenant traffic management can be delegated to tenant |
There was a problem hiding this comment.
I think tenant should be replaced with "namespace"
site-src/api-overview.md
Outdated
| any well defined NetworkPolicies, and if not terminated ultimately be evaluated against any | ||
| BaselineAdminNetworkPolicies. | ||
| by a `Pass` rule will skip any further `Admin` tier rule selection, be evaluated against | ||
| any well-defined NetworkPolicies, and if not terminated ultimately be evaluated against any |
There was a problem hiding this comment.
Suggest:
"Traffic selected by a Pass rule will skip any lower precedence Admin tier rules and proceed to be evaluated by NetworkPolicy and Baseline tier policies i.e. NetworkPolicy will apply or if there is no NP match, Baseline policies will be evaluated.
site-src/api-overview.md
Outdated
| Integer priority values were added to the ClusterNetworkPolicy API to allow Cluster | ||
| Admins to express direct and intentional ordering between various CNP Objects. | ||
| The `Priority` field in the CNP spec is defined as an integer value | ||
| within the range 0 to 1000 where rules with lower priority values have |
There was a problem hiding this comment.
I would leave the actual number range out of the doc to make it easier to maintain if the range changes.
|
#328 there is another blog post from @frozenprocess ? Ah I see comment on that one already: #328 (comment) |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: npinaeva The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
I am not sure what you mean, I did write a new blog post |
Add a blog post with short description of changes, some migration examples and future plans. Signed-off-by: Nadia Pinaeva <[email protected]>
4 participants
Add a blog post with short description of changes, some migration examples and future plans.
I have also added a new version of the CNP model made in drawio, and the source file should be import-able to make future changes, but lmk if you have better ideas to store images
Fixes a part of #312