Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] Network policies #3611

Closed
wants to merge 4 commits into from
Closed

[RFC] Network policies #3611

wants to merge 4 commits into from

Conversation

aojea
Copy link
Contributor

@aojea aojea commented May 14, 2024
edited
Loading

Add support for network policies in KIND

/hold

Fixes: #842

  1. Build kind
make
go build -v -o "/usr/local/google/home/aojea/src/kind/bin/kind" -trimpath -ldflags="-buildid= -w -X=sigs.k8s.io/kind/pkg/cmd/kind/version.gitCommit=d3c7631e37eed1714a7a1ea923a7393842a384d3 -X=sigs.k8s.io/kind/pkg/cmd/kind/version.gitCommitCount=6"
  1. Create node image
bin/kind build node-image ~/src/kubernetes/
Starting to build Kubernetes
+++ [0514 11:25:11] Verifying Prerequisites....
+++ [0514 11:25:11] Building Docker image kube-build:build-300e2a667e-5-v1.31.0-go1.22.3-bullseye.0
+++ [0514 11:26:57] Creating data container kube-build-data-300e2a667e-5-v1.31.0-go1.22.3-bullseye.0
+++ [0514 11:27:02] Syncing sources to container
+++ [0514 11:27:21] Running build command...
+++ [0514 11:27:28] Building go targets for linux/amd64
    k8s.io/kubernetes/cmd/kube-apiserver (static)
    k8s.io/kubernetes/cmd/kube-controller-manager (static)
    k8s.io/kubernetes/cmd/kube-proxy (static)
    k8s.io/kubernetes/cmd/kube-scheduler (static)
    k8s.io/kubernetes/cmd/kubeadm (static)
    k8s.io/kubernetes/cmd/kubectl (static)
    k8s.io/kubernetes/cmd/kubelet (non-static)
+++ [0514 11:28:37] Syncing out of container
+++ [0514 11:28:45] Building images: linux-amd64
+++ [0514 11:28:45] Starting docker build for image: kube-apiserver-amd64
+++ [0514 11:28:45] Starting docker build for image: kube-controller-manager-amd64
+++ [0514 11:28:45] Starting docker build for image: kube-scheduler-amd64
+++ [0514 11:28:45] Starting docker build for image: kube-proxy-amd64
+++ [0514 11:28:45] Starting docker build for image: kubectl-amd64
+++ [0514 11:28:51] Deleting docker image registry.k8s.io/kubectl-amd64:v1.31.0-alpha.0.740_caafc211407c66-dirty
+++ [0514 11:28:51] Deleting docker image registry.k8s.io/kube-scheduler-amd64:v1.31.0-alpha.0.740_caafc211407c66-dirty
+++ [0514 11:28:51] Deleting docker image registry.k8s.io/kube-proxy-amd64:v1.31.0-alpha.0.740_caafc211407c66-dirty
+++ [0514 11:28:52] Deleting docker image registry.k8s.io/kube-controller-manager-amd64:v1.31.0-alpha.0.740_caafc211407c66-dirty
+++ [0514 11:28:53] Deleting docker image registry.k8s.io/kube-apiserver-amd64:v1.31.0-alpha.0.740_caafc211407c66-dirty
+++ [0514 11:28:53] Docker builds done
Finished building Kubernetes
Building node image ...
Building in container: kind-build-1715686140-869641220
Image "kindest/node:latest" build completed.
  1. Create cluster
bin/kind create cluster --config kind-config.yaml --name netpol --image kindest/node:latest
Creating cluster "netpol" ...
 ✓ Ensuring node image (kindest/node:latest) 🖼
 ✓ Preparing nodes 📦  
 ✓ Writing configuration 📜 
 ✓ Starting control-plane 🕹️ 
 ✓ Installing CNI 🔌 
 ✓ Installing Network Policies 🔒 
 ✓ Installing StorageClass 💾 
Set kubectl context to "kind-netpol"
You can now use your cluster with:

kubectl cluster-info --context kind-netpol

Have a nice day! 👋
  1. Check network policies pods are running
 kubectl -n kube-system get pods | grep network-policies
kube-network-policies-lvmvz                    1/1     Running   0          3m7s

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 14, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels May 14, 2024
@aojea
Copy link
Contributor Author

aojea commented May 14, 2024

/assign @BenTheElder

@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label May 14, 2024
This was referenced May 14, 2024
Closed
Merged
neolit123
neolit123 reviewed May 16, 2024
View reviewed changes
pkg/build/nodeimage/const_network_policy.go
Comment on lines +113 to +115
privileged: true
capabilities:
add: ["NET_ADMIN"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doesn't privileged=true make the NET_ADMIN cap redundant, i think it should be privileged=false and only the required caps should be added.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i guess this is from the original repo manifest;
https://github.com/kubernetes-sigs/kube-network-policies/blob/main/install.yaml#L85-L88

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, I think I started to get granularity and gave up :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think, it's fine to leave it privileged and remove the NET_ADMIN cap. maybe leave a TODO comment if someone wishes to experiment with caps and limit the access scope.

pkg/cluster/internal/create/actions/installnetworkpolicies/networkpolicies.go
@@ -0,0 +1,75 @@
/*
Copyright 2019 The Kubernetes Authors.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Copyright 2019 The Kubernetes Authors.
Copyright 2024 The Kubernetes Authors.

pkg/cluster/internal/create/actions/installnetworkpolicies/networkpolicies.go
Comment on lines +47 to +52
// get the target node for this task
controlPlanes, err := nodeutils.ControlPlaneNodes(allNodes)
if err != nil {
return err
}
node := controlPlanes[0] // kind expects at least one always
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// get the target node for this task
controlPlanes, err := nodeutils.ControlPlaneNodes(allNodes)
if err != nil {
return err
}
node := controlPlanes[0] // kind expects at least one always
// get the target node for this task
node, err := nodeutils.BootstrapControlPlaneNode(allNodes)
if err != nil {
return err
}

pkg/apis/config/v1alpha4/types.go
@@ -186,6 +186,8 @@ type Networking struct {
// If DisableDefaultCNI is true, kind will not install the default CNI setup.
// Instead the user should install their own CNI after creating the cluster.
DisableDefaultCNI bool `yaml:"disableDefaultCNI,omitempty" json:"disableDefaultCNI,omitempty"`
// If NetworkPolicies is true, kind will install the default Network Policy setup.
NetworkPolicies bool `yaml:"networkPolicies,omitempty" json:"networkPolicies,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given this is a bool i would put a verb in front of it, same as DisasbleDefaultCNI above.
e.g. InstallNetworkPolicies

@aojea
Copy link
Contributor Author

aojea commented May 16, 2024

@neolit123 the alternative is to ship it with kindnet #3612 and no API required

@neolit123
Copy link
Member

@neolit123 the alternative is to ship it with kindnet #3612 and no API required

i think making it not part of kindnet seems better to me.
2c

@BenTheElder
Copy link
Member

Making it part of kindnetd would make it easier for projects that are swapping out kindnet to exclude it, and for projects that aren't swapping out kindet ... I'm not sure why it would be a problem to include it in kindnet?

I think that's the simpler approach, and consistent with e.g. ip masquerade just being built in to kindnet.

In the future we may also look into if we can ship it in a single image / container by importing the controller or something like that (to share resources & patching better).

@aojea aojea closed this Jun 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neolit123 neolit123 neolit123 left review comments

Assignees

@BenTheElder BenTheElder

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NetworkPolicy support
4 participants
@aojea @k8s-ci-robot @neolit123 @BenTheElder