Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation for ClusterNetworkPolicy #724

Merged
merged 8 commits into from
Jul 2, 2020

Conversation

abhiraut
Copy link
Contributor

@abhiraut abhiraut commented May 20, 2020

Provide a general overview of ClusterNetworkPolicy CRDs and list key differences between CNP and K8s NP.

@antrea-bot
Copy link
Collaborator

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

  • /test-e2e: to trigger e2e tests.
  • /skip-e2e: to skip e2e tests.
  • /test-conformance: to trigger conformance tests.
  • /skip-conformance: to skip conformance tests.
  • /test-networkpolicy: to trigger networkpolicy tests.
  • /skip-networkpolicy: to skip networkpolicy tests.
  • /test-all: to trigger all tests.
  • /skip-all: to skip all tests.

These commands can only be run by members of the vmware-tanzu organization.

@abhiraut
Copy link
Contributor Author

/skip-all


- ClusterNetworkPolicy is of cluster scope, hence a `podSelector` without any
`namespaceSelector` selects Pods from all Namespaces.
- There is no automatic isolation of Pods on being selected in appliedTo.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if I understand it correctly, this means if I want to allow only 80 to a Pod, I should first create a Drop rule in low priority, then create a Allow-80 rule in high priority?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes.. the rules are as is.. and they will make more sense when we follow up with a ConfigOpt for default antrea cluster policy.. which could be drop policy for cluster
/cc @jianjuns for any follow up comments during my leave

@abhiraut
Copy link
Contributor Author

/skip-all

@abhiraut abhiraut requested review from tnqn and Dyanngg June 23, 2020 21:55
docs/network-policy.md Show resolved Hide resolved
docs/network-policy.md Outdated Show resolved Hide resolved
@antrea-bot
Copy link
Collaborator

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

  • /test-e2e: to trigger e2e tests.
  • /skip-e2e: to skip e2e tests.
  • /test-conformance: to trigger conformance tests.
  • /skip-conformance: to skip conformance tests.
  • /test-whole-conformance: to trigger all conformance tests on linux.
  • /skip-whole-conformance: to skip all conformance tests on linux.
  • /test-networkpolicy: to trigger networkpolicy tests.
  • /skip-networkpolicy: to skip networkpolicy tests.
  • /test-windows-conformance: to trigger windows conformance tests.
  • /skip-windows-conformance: to skip windows conformance tests.
  • /test-all: to trigger all tests (except whole conformance).
  • /skip-all: to skip all tests (except whole conformance).

These commands can only be run by members of the vmware-tanzu organization.

docs/network-policy.md Outdated Show resolved Hide resolved
@abhiraut
Copy link
Contributor Author

/skip-all

1 similar comment
@abhiraut
Copy link
Contributor Author

/skip-all

@abhiraut
Copy link
Contributor Author

/skip-whole-conformance

@abhiraut
Copy link
Contributor Author

abhiraut commented Jul 1, 2020

@lzhecheng any idea why if i skip-all, jenkins-conformance and jenkins-networkpolicy tests are not skipped.. but it does skip the other two ?

Dyanngg
Dyanngg previously approved these changes Jul 1, 2020
@lzhecheng
Copy link
Contributor

@abhiraut did it work? I saw history builds to skip jobs for this PR in Jenkins.

@abhiraut
Copy link
Contributor Author

abhiraut commented Jul 1, 2020

@abhiraut did it work? I saw history builds to skip jobs for this PR in Jenkins.

yeah.. it took a while.. eventually it did work.. thanks for looking!

Copy link
Contributor

@antoninbas antoninbas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some comments

I may have missed it but I didn't see the relative precedence of k8s NetworkPolicies with respect to Antrea ClusterNetworkPolicies being called out in the document?


ClusterNetworkPolicy is a specification of how workloads within a cluster
communicate with each other and other external endpoints.
The ClusterNetworkPolicy is supposed to aid cluster-admins to determine
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The ClusterNetworkPolicy is supposed to aid cluster-admins to determine
The ClusterNetworkPolicy is supposed to aid cluster admins to configure

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

communicate with each other and other external endpoints.
The ClusterNetworkPolicy is supposed to aid cluster-admins to determine
the security policy for the cluster, unlike K8s NetworkPolicy, which is
aimed towards developers to secure their apps.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe also mention that they only apply to Pods in a specific namespace

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

docs/network-policy.md Outdated Show resolved Hide resolved
docs/network-policy.md Outdated Show resolved Hide resolved
docs/network-policy.md Outdated Show resolved Hide resolved
single port, from one of the two sources, first specified by the `podSelector`
and second, specified by the combination of `podSelector` and
`namespaceSelector`.
**Note**: The order in which the ingress rules are set matter. i.e. rules will be
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/. i.e./, i.e.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

docs/network-policy.md Outdated Show resolved Hide resolved
docs/network-policy.md Outdated Show resolved Hide resolved
docs/network-policy.md Outdated Show resolved Hide resolved
docs/network-policy.md Outdated Show resolved Hide resolved
@abhiraut
Copy link
Contributor Author

abhiraut commented Jul 2, 2020

some comments

I may have missed it but I didn't see the relative precedence of k8s NetworkPolicies with respect to Antrea ClusterNetworkPolicies being called out in the document?

good point.. added a note now

@abhiraut abhiraut requested review from antoninbas and Dyanngg July 2, 2020 00:15
Dyanngg
Dyanngg previously approved these changes Jul 2, 2020
Copy link
Contributor

@antoninbas antoninbas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

docs/network-policy.md Outdated Show resolved Hide resolved
docs/network-policy.md Outdated Show resolved Hide resolved
docs/network-policy.md Outdated Show resolved Hide resolved
antoninbas
antoninbas previously approved these changes Jul 2, 2020
@abhiraut
Copy link
Contributor Author

abhiraut commented Jul 2, 2020

/skip-all

@abhiraut abhiraut merged commit 9ef6c93 into antrea-io:master Jul 2, 2020
@abhiraut abhiraut deleted the devref-cnp branch July 2, 2020 17:50
GraysonWu pushed a commit to GraysonWu/antrea that referenced this pull request Sep 22, 2020
Add a general overview of the ClusterNetworkPolicy feature and its usage along with the key differences between CNP
and K8s NP.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants