Skip to content

Cluster Network Policy #199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 27, 2025
Merged

Cluster Network Policy #199

merged 1 commit into from
Aug 27, 2025
+974 −10

Conversation

aojea
Copy link
Contributor

@aojea aojea commented Aug 15, 2025

Implementation of the new v1alpha2 api for ClusterNetworkPolicy

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 15, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 15, 2025
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 15, 2025
aojea
aojea commented Aug 15, 2025
View reviewed changes
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 15, 2025
aojea
aojea commented Aug 15, 2025
View reviewed changes
@aojea
Copy link
Contributor Author

aojea commented Aug 15, 2025

/assign @danwinship @npinaeva @bowei

I just vibe coded this in 30 mins to unblock the progress on the feature and conformance, so I sstill need to review the code too, but with the new architecture is pretty easy also to add unit tests

npinaeva
npinaeva reviewed Aug 15, 2025
View reviewed changes
aojea
aojea commented Aug 15, 2025
View reviewed changes
@aojea
Copy link
Contributor Author

aojea commented Aug 16, 2025

@npinaeva this does not work as it is because the controller only matches on the pods that matches a network policy, you can force that by setting admin network policy the boolean to true on the controller config

@aojea
Copy link
Contributor Author

aojea commented Aug 16, 2025

@npinaeva this does not work as it is because the controller only matches on the pods that matches a network policy, you can force that by setting admin network policy the boolean to true on the controller config

fixed in last commit and image. uploaded to aojea/kube-network-policies:cnp

@aojea aojea mentioned this pull request Aug 16, 2025
Merged
@aojea aojea force-pushed the cnp branch 4 times, most recently from 661b9e5 to 3f2d10e Compare August 16, 2025 23:38
@aojea
Copy link
Contributor Author

aojea commented Aug 17, 2025

pushed latest and most sure definitive version for the project structure, right now you checkout the PR and build the image with

make image-build-npa-v1alpha2
Building npa-v1alpha2 binary...
go build -o ./bin/kube-network-policies-npa-v1alpha2 ./cmd/npa-v1alpha2
docker buildx build . \
        --build-arg TARGET_BUILD=npa-v1alpha2 \
        --tag="gcr.io/k8s-staging-networking/kube-network-policies:v20250817-v0.4.0-215-g07a3817-npa-v1alpha2" \
        --load

no more flags for the same binary, now we have one binary per feature and as soon as they graduate they belong to the main binary, this is less risky and easier to iterate

@npinaeva
Copy link
Member

tested latest version with kubernetes-sigs/network-policy-api#307 locally and it seems to work!

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 18, 2025
@npinaeva npinaeva mentioned this pull request Aug 19, 2025
Merged
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 26, 2025
aojea
aojea commented Aug 26, 2025
View reviewed changes
@aojea aojea changed the title [WIP] Cluster Network Policy Cluster Network Policy Aug 27, 2025
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 27, 2025
npinaeva
npinaeva reviewed Aug 27, 2025
View reviewed changes
Copy link
Member

@npinaeva npinaeva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this code looks surprisingly good :D

cmd/npa-v1alpha2/main.go Outdated
@@ -0,0 +1,217 @@
package main
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't this file be under cmd/kube-network-policies/npa-v1alpha2?

plugins/npa-v1alpha2/clusternetworkpolicy.go
}
}
for _, domain := range to.DomainNames {
if c.domainResolver != nil && c.domainResolver.ContainsIP(string(domain), dstIP) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think domainResolver is only nil for unit tests, but should we log something anyway in this case?

@npinaeva
Copy link
Member

tested again, still works!

@aojea
Copy link
Contributor Author

aojea commented Aug 27, 2025

/hold

wait for merging the conformance tests so we also add the ci jobs for the new apis

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 27, 2025
@aojea
ClusterNetworkPolicy
9bb5910 
Network Policy API v1alpha2
@aojea
Copy link
Contributor Author

aojea commented Aug 27, 2025

/hold cancel

I let nadia decide when she wants to merge and how :)

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 27, 2025
@npinaeva
Copy link
Member

let's get this in, then update the CI when the new conformance is merged
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 27, 2025
@k8s-ci-robot k8s-ci-robot merged commit fa24992 into kubernetes-sigs:main Aug 27, 2025
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danwinship danwinship Awaiting requested review from danwinship

@thockin thockin Awaiting requested review from thockin

1 more reviewer

@npinaeva npinaeva npinaeva left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@danwinship danwinship

@bowei bowei

@npinaeva npinaeva

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@aojea @k8s-ci-robot @npinaeva @danwinship @bowei