Add support for cluster-scoped AdminNetworkPolicy resource (kubernetes#2522)

* Add support for ClusterNetworkPolicy resources

Initial skeleton commit

* Add more content to proposal and move API to design section

* Add more details

* Add precedence and Namespaces examples

* Add the following sections:

- Notes
- Future work
- Alternate proposals
- Test plan
- Graduation Criteria

Update kep milestones to at least wait for 2 K8s versions
between stages.

In addition to the above, fix some minor nits across the doc.

* Add detail about future work and alternative approaches

* Add sample specs for user stories

* Move except field to ClusterNetworkPolicy ingress/egress rule

* Add diagrams and links

* Address minor nits

* Complete missiing sections

In addition to completing the KEP, fix some nits and errors.

* Fix nits and table of contents

* Add note regarding IPBlock

* Fix toc

* Minor cleanup

* Address comments

* Remove except field in CNP rules and add a new "authorize" action

Based on the discussion on except being confusing and we need explicit
action which 'pokes holes' in deny rules. Naming feedback is welcomed.

* Add some clarifications

* Add RBAC section

* Address comments

- Update Namespaces struct
- Add more inline comments for types
- Update KEP milestones
- Update graduation requirements
- Update API group name
- Update DNP user story
- Add focus on inter-namespace deny rather than intra-namespace
  allow

* Add namespaceSelector back into the peer for compatibility

* Replace authorize action with empower

* Address comments

* Update sample examples to reflect latest changes

* Update user story name

Story 4 renamed to "Zero-trust default security posture for tenants".

Signed-off-by: abhiraut <[email protected]>

* Remove IPBlock and related user stories

- Mark cluster external traffic use cases as no-op for this KEP.
- Add key differences between Cluster scoped policies and K8s
  NetworkPolicies section.

Signed-off-by: abhiraut <[email protected]>

* Update User Stories

Remove out of Scope stories:

- Ensure traffic goes through ingress/egress gateways
- Restrict egress to well known destinations

Add images to most of the remaining user stories

Some small rewordings

Signed-off-by: astoycos <[email protected]>

* Update Index and guardrails user story

Add default rule image

Update the index to align with the new user stories
and also update the guardrails user story to be more
readable.

Signed-off-by: astoycos <[email protected]>

* Update core proposal to Priority based

Changes include the following:
- Numeric priority based proposal
- Updated design and API section
- Include rule identifiers
- Update alternative proposal section
- Update KEP timelines
- Update KEP authors

Signed-off-by: abhiraut <[email protected]>

* Updated TOC

Signed-off-by: abhiraut <[email protected]>

* Updates: changes in goals/ non-goals, added changes for multiple applied-tos,
selector types, priority ranges, selector types, some initial sample yaml changes for now.
Will add remaining pending agreement on syntax for multiple applied-tos and selector types

* Update priority scheme and workloadSelector struct

* Address some of Dan's comments on Dec 16

* CNP Updates

Fix User Story Diagrams and Sample yamls

Update the user story diagrams, add descriptions,
and ensure the sample yamls match the diagrams

ClusterNetworkPolicy -> AdminNetworkPolicy

Rename files and occurances of the object name in
the kep and associated materials.

Respond further to Dan W's and Tim H's comments

- Decide on priority levels + conflicting prorities
- Remove special "baseline" keyword and replace with using
priority 0 as baseline
- Remove the Workload Selector from the API
- Many other small nits

Add Casey, Tim, and Dan as reviewers

Signed-off-by: astoycos <[email protected]>

* Add PRR yaml

Signed-off-by: astoycos <[email protected]>

* 1-25-22-review-feedback

- Emphasize the non-focus on N/S traffic for now
- Remove multiple AppliedTo's
- Refactor `NamespaceSet`
- Change AppliedTo to Subjects
- Redesign L4(Ports) selection
- Add some more e2e test cases
- Fix Nits

Signed-off-by: astoycos <[email protected]>

* Addressing final review comments

* Fix PRR questionare, address small review changes

Finish responding to some review comments.

Update the PRR questionare to reflect the current
version, and fix/add some things there as well

Signed-off-by: astoycos <[email protected]>

* More fixups

Add some unresolved sections,
finish up PRR

Signed-off-by: astoycos <[email protected]>

Co-authored-by: Yang Ding <[email protected]>
Co-authored-by: Satish Matti <[email protected]>
Co-authored-by: astoycos <[email protected]>
Co-authored-by: Sanjeev Rampal <[email protected]>

Author: 5 people

keps/prod-readiness/sig-network/2091.yaml

@@ -0,0 +1,3 @@
+kep-number: 2091
+alpha:
+  approver: "@johnbelamaric"

keps/sig-network/2091-admin-network-policy/README.md

@@ -0,0 +1,43 @@
+title: Add support for AdminNetworkPolicy resources
+kep-number: 2091
+authors:
+  - "@abhiraut"
+  - "@Dyanngg"
+  - "@skmatti"
+  - "@astoycos"
+  - "@srampal"
+  - "@vbannai"
+  - "@gjsj"
+owning-sig: sig-network
+status: provisional
+creation-date: 2021-02-18
+reviewers:
+  - "@thockin"
+  - "@caseydavenport"
+  - "@danwinship"
+approvers:
+  - "@thockin"
+prr-approvers:
+  - "@johnbelamaric"
+
+# The target maturity stage in the current dev cycle for this KEP.
+stage: alpha
+
+# The most recent milestone for which work toward delivery of this KEP has been
+# done. This can be the current (upcoming) milestone, if it is being actively
+# worked on.
+latest-milestone: "v1.24"
+
+# The milestone at which this feature was, or is targeted to be, at each stage.
+milestone:
+  alpha: "v1.24"
+  beta: "v1.25"
+  stable: "v1.27"
+
+# The following PRR answers are required at alpha release
+# List the feature gate name and the components for which it must be enabled
+feature-gates:
+  - name: AdminNetworkPolicy
+    components:
+      - kube-apiserver
+disable-supported: true