-
Notifications
You must be signed in to change notification settings - Fork 373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add documentation for ClusterNetworkPolicy #724
Conversation
Thanks for your PR. The following commands are available:
These commands can only be run by members of the vmware-tanzu organization. |
/skip-all |
|
||
- ClusterNetworkPolicy is of cluster scope, hence a `podSelector` without any | ||
`namespaceSelector` selects Pods from all Namespaces. | ||
- There is no automatic isolation of Pods on being selected in appliedTo. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if I understand it correctly, this means if I want to allow only 80 to a Pod, I should first create a Drop rule in low priority, then create a Allow-80 rule in high priority?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes.. the rules are as is.. and they will make more sense when we follow up with a ConfigOpt for default antrea cluster policy.. which could be drop policy for cluster
/cc @jianjuns for any follow up comments during my leave
/skip-all |
Thanks for your PR. The following commands are available:
These commands can only be run by members of the vmware-tanzu organization. |
/skip-all |
1 similar comment
/skip-all |
/skip-whole-conformance |
@lzhecheng any idea why if i skip-all, jenkins-conformance and jenkins-networkpolicy tests are not skipped.. but it does skip the other two ? |
@abhiraut did it work? I saw history builds to skip jobs for this PR in Jenkins. |
yeah.. it took a while.. eventually it did work.. thanks for looking! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some comments
I may have missed it but I didn't see the relative precedence of k8s NetworkPolicies with respect to Antrea ClusterNetworkPolicies being called out in the document?
docs/network-policy.md
Outdated
|
||
ClusterNetworkPolicy is a specification of how workloads within a cluster | ||
communicate with each other and other external endpoints. | ||
The ClusterNetworkPolicy is supposed to aid cluster-admins to determine |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ClusterNetworkPolicy is supposed to aid cluster-admins to determine | |
The ClusterNetworkPolicy is supposed to aid cluster admins to configure | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
docs/network-policy.md
Outdated
communicate with each other and other external endpoints. | ||
The ClusterNetworkPolicy is supposed to aid cluster-admins to determine | ||
the security policy for the cluster, unlike K8s NetworkPolicy, which is | ||
aimed towards developers to secure their apps. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe also mention that they only apply to Pods in a specific namespace
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
docs/network-policy.md
Outdated
single port, from one of the two sources, first specified by the `podSelector` | ||
and second, specified by the combination of `podSelector` and | ||
`namespaceSelector`. | ||
**Note**: The order in which the ingress rules are set matter. i.e. rules will be |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/. i.e./, i.e.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
good point.. added a note now |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/skip-all |
Add a general overview of the ClusterNetworkPolicy feature and its usage along with the key differences between CNP and K8s NP.
Provide a general overview of ClusterNetworkPolicy CRDs and list key differences between CNP and K8s NP.