|
1 | 1 | # NPEP-122: Tenancy API |
2 | 2 |
|
3 | 3 | * Issue: [#122](https://github.com/kubernetes-sigs/network-policy-api/issues/122) |
4 | | -* Status: Provisional |
| 4 | +* Status: Implementable |
5 | 5 |
|
6 | 6 | ## TLDR |
7 | 7 |
|
@@ -158,7 +158,147 @@ Fourth, the ANP subject allows using pod selectors, while tenancy use cases only |
158 | 158 |
|
159 | 159 | ## API |
160 | 160 |
|
161 | | -TBD |
| 161 | +### Tenant definition |
| 162 | + |
| 163 | +We define Tenant as a set of namespaces. |
| 164 | +All Namespaces affected by Tenancy will be split into Tenants based on their label(s), we call these labels `tenancyLabels`. |
| 165 | +A Tenant is identified by values of `tenancyLabels`, which are shared by all namespaces in the Tenant. |
| 166 | + |
| 167 | +There are 2 ways to select which namespaces should be affected by Tenancy: |
| 168 | + |
| 169 | +1. Separate from `tenancyLabels`. We have a separate label selector to define which namespaces should be affected by Tenancy. |
| 170 | +Then selected namespaces are split into Tenants. |
| 171 | + |
| 172 | + **Cons**: selected namespace may not have some of the `tenancyLabels`, which will likely result in introducing "None" value |
| 173 | + for `tenancyLabels`. To only select namespaces with existing labels extra `key: X, operator: Exists` condition should |
| 174 | + be added to the selector. |
| 175 | + |
| 176 | +2. Joined with `tenancyLabels`. We select all namespace that all `tenancyLabels` present. |
| 177 | + |
| 178 | + **Cons**: applying all labels from `tenancyLabels` to a namespaces automatically makes it affected by tenancy. |
| 179 | + No way to make sure ALL namespaces in a cluster are a part of some tenant, e.g. newly created namespace will not |
| 180 | + be limited/protected by Tenancy rules until it gets `tenancyLabels` assigned, may potentially be a security problem. |
| 181 | + |
| 182 | + Example: by setting deny-from-other-tenants I want to ensure only namespaces with the same label `security-zone` value |
| 183 | + can send incoming connections. That policy will be violated if a new tenant is created without `security-zone` label, |
| 184 | + meaning it is not a part of any Tenant. This may potentially be solved by using allow-from-same-tenant + deny ALL |
| 185 | + ANP, but it is stricter, since it affects all incoming connections, not just from other pods. |
| 186 | + |
| 187 | +### Peers and actions |
| 188 | + |
| 189 | +Based on the existing User Stories, Tenancy only needs Allow and Deny actions, and the only 2 types of peers are |
| 190 | +`SameTenant` and `NotSameTenant`. |
| 191 | + |
| 192 | +Therefore, Tenancy rules will look something like: |
| 193 | + |
| 194 | +```yaml |
| 195 | +kind: NetworkTenancy |
| 196 | +spec: |
| 197 | + tenancyLabels: ['label1'] |
| 198 | + ingress: |
| 199 | + - actions: Deny |
| 200 | + from: NotSameTenant |
| 201 | + - actions: Allow |
| 202 | + from: SameTenant |
| 203 | + egress: |
| 204 | + - actions: Deny |
| 205 | + to: NotSameTenant |
| 206 | +``` |
| 207 | +
|
| 208 | +### Priorities |
| 209 | +
|
| 210 | +Based on User Story 4.4, we need to have Tenancy in the same priority range as ANP and BANP. There are multiple ways to do so: |
| 211 | +
|
| 212 | +1. Reuse ANP and BANP to define priority, link Tenancy API |
| 213 | +
|
| 214 | +```yaml |
| 215 | +kind: AdminNetworkPolicy |
| 216 | +spec: |
| 217 | + priority: 10 |
| 218 | + # EITHER |
| 219 | + subject: <...> |
| 220 | + ingress: <...> |
| 221 | + egress: <...> |
| 222 | + # OR |
| 223 | + tenant: <tenant reference> |
| 224 | +``` |
| 225 | +
|
| 226 | +```yaml |
| 227 | +kind: BaselineAdminNetworkPolicy |
| 228 | +spec: |
| 229 | + # EITHER |
| 230 | + subject: <...> |
| 231 | + ingress: <...> |
| 232 | + egress: <...> |
| 233 | + # OR |
| 234 | + tenant: <tenant reference> |
| 235 | +``` |
| 236 | +
|
| 237 | +We may want to allow either `subject`+`ingress`/`egress` or `tenant`, since having both at the same priority |
| 238 | +is confusing (`tenancyLabels` and `subject` may select unrelated sets of pods) and may result in conflicting rules. |
| 239 | + |
| 240 | +2. Create 2 objects with ANP and BANP priorities (let's say Tenancy and BaselineTenancy) |
| 241 | + |
| 242 | +```yaml |
| 243 | +kind: NetworkTenancy |
| 244 | +spec: |
| 245 | + priority: 10 |
| 246 | + ingress: |
| 247 | + - actions: Deny |
| 248 | + from: NotSameTenant |
| 249 | + - actions: Allow |
| 250 | + from: SameTenant |
| 251 | + egress: |
| 252 | + - actions: Deny |
| 253 | + to: NotSameTenant |
| 254 | +``` |
| 255 | + |
| 256 | +```yaml |
| 257 | +kind: BaselineNetworkTenancy |
| 258 | +spec: |
| 259 | + ingress: |
| 260 | + - actions: Deny |
| 261 | + from: NotSameTenant |
| 262 | + - actions: Allow |
| 263 | + from: SameTenant |
| 264 | + egress: |
| 265 | + - actions: Deny |
| 266 | + to: NotSameTenant |
| 267 | +``` |
| 268 | + |
| 269 | +While multiple ANPs with the same priority are allowed, we probably can allow multiple Tenancies or Tenancy and ANP |
| 270 | +with the same priority, but if we decide to only allow ANP per priority, Tenancy needs to be accounted for in the same range. |
| 271 | + |
| 272 | +3. Create 1 object with extra `baselinePolicy` field or IntOrString value for priority. |
| 273 | + |
| 274 | +```yaml |
| 275 | +kind: NetworkTenancy |
| 276 | +spec: |
| 277 | + baselinePolicy: false |
| 278 | + priority: 10 |
| 279 | + ingress: |
| 280 | + - actions: Deny |
| 281 | + from: NotSameTenant |
| 282 | + - actions: Allow |
| 283 | + from: SameTenant |
| 284 | + egress: |
| 285 | + - actions: Deny |
| 286 | + to: NotSameTenant |
| 287 | +``` |
| 288 | + |
| 289 | +```yaml |
| 290 | +kind: NetworkTenancy |
| 291 | +spec: |
| 292 | + priority: baseline |
| 293 | + ingress: |
| 294 | + - actions: Deny |
| 295 | + from: NotSameTenant |
| 296 | + - actions: Allow |
| 297 | + from: SameTenant |
| 298 | + egress: |
| 299 | + - actions: Deny |
| 300 | + to: NotSameTenant |
| 301 | +``` |
162 | 302 |
|
163 | 303 | ## Conformance Details |
164 | 304 |
|
|
0 commit comments