You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Standards/scs-XXXX-v1-kaas-networking.md
+46-9Lines changed: 46 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,31 +26,68 @@ Users may expect certain optional functionality, so we should define a baseline
26
26
27
27
## Design Considerations
28
28
29
-
- Avoid mandating features specific to certain CNI plugins (like CiliumClusterwideNetworkPolicy)
29
+
The Kubernetes API is arbitrary extensible.
30
+
Many CNI plugins will define custom resources to enable functionality that is not covered in the official API specification [^spec].
31
+
We should avoid mandating third party API extensions, such as Cilium's `CiliumClusterwideNetworkPolicy`, to keep the standard as generic as possible and avoid dependencies on specific implementations.
32
+
We should also be explicit about the required versions of the APIs.
30
33
31
34
### Options considered
32
35
33
36
#### NetworkPolicy API
34
37
35
-
- Should be a requirement
36
-
- We need to be specific about which API version to require and reference the upstream definition
37
-
- Only recommend recent additions like AdminNetworkPolicy
38
+
Kubernetes network policies allow the restrict network traffic within a cluster based on labels and namespaces.
39
+
They must be implemented by the CNI plugin of the cluster and are technically optional, though they are few CNI plugins that do not support them.
40
+
41
+
Network policies are an important security feature that allows a separation of components and namespaces on a network level.
42
+
43
+
- already defacto standard, will be expected by many users, so we should make it explicit
44
+
45
+
#### AdminNetworkPolicy API
46
+
47
+
Basic network policies are always bound to a namespace, and only affect connections to and from pods within this namespace.
48
+
Restricting certain traffic within the whole cluster requires a policy to be replicated across all namespaces.
49
+
There are operators, such as Kyverno, that can handle this replication automatically and will also create policies for newly created namespaces.
50
+
51
+
Some CNI plugins have implemented their own extensions for cluster-wide networking rules, such as Calico's `GlobalNetworkPolicy` and Cilium's `CiliumClusterwideNetworkPolicy`.
52
+
The Kubernetes Network Policy Special Interest Group is currently working on an official API extension to cover this functionality.
53
+
54
+
- AdminNetworkPolicy replaces CNI-specific APIs
55
+
- we can not mandate this until it is stable
56
+
- could be required in a future version of this standard
57
+
- we can recomend CNIs that are already working on support
58
+
59
+
#### Default Network Policies in Cluster
60
+
61
+
- providing defaults is possible even without AdminNetworkPolicy by either operator or CNI-specifics
62
+
- what are useful defaults?
63
+
- is there actually a demand for CSP-set defaults?
38
64
39
65
#### Ingress API
40
66
41
-
- Some CNI plugins (specifically Cilium) have builtin support for the Ingress and Gateway API
42
-
- Those can also be provided by separate ingress controllers (like ingress-nginx)
67
+
The Ingress API allows the external exposure of HTTP(S)-based services running in the cluster.
68
+
Unlike the L3/L4-based LoadBalancer Service type, Ingress provides L7 load balancing, HTTP routing, and TLS termination for services.
69
+
This functionality can be provided within the cluster by a pod-based ingress controller such as `ingress-nginx`, that is itself exposed as a Service.
70
+
71
+
However, there are also Ingress controllers that integrate with the underlying infrastructure and may reduce some overhead.
72
+
Examples for this are the Cilium CNI plugin, which comes with bhuilt-in Ingress support, and the Octavia ingress controller, which might be a good choice if OpenStack Octavia is already used to provide Service load balancing.
73
+
43
74
- Ingress controllers seem to be regularly requested by managed k8s users
44
-
- some users may prefer to deploy their own ingress controllers
75
+
- managed ingress controller may have better integration in infrastructure
76
+
- some users may prefer to deploy their own ingress controllers, e.g. if they have additional requirements such as the gateway API
77
+
- CSPs could offer option to set up ingress controller
45
78
46
79
### Open questions
47
80
48
81
RECOMMENDED
49
82
50
83
## Standard
51
84
52
-
CSPs MUST provide a network plugin that supports the basic NetworkPolicy API
53
-
CSPs SHOULD provide a network plugin that implements the AdminNetworkPolicy and BaselineAdminNetworkPolicy resources.
85
+
CSPs MUST provide a network plugin that supports the basic NetworkPolicy API.
86
+
CSPs SHOULD provide a network plugin that implements, or is working on implementing, the AdminNetworkPolicy and BaselineAdminNetworkPolicy resources.
87
+
88
+
- add upstream API references and versions
89
+
- CSPs should offer option for managed ingress controller
90
+
- CSPs may provide default network policies through either an operator or global network policy extensions.
0 commit comments