|
| 1 | +# NPEP-173: NPEP template |
| 2 | + |
| 3 | +* Issue: [#173](https://github.com/kubernetes-sigs/network-policy-api/issues/173) |
| 4 | +* Status: Provisional |
| 5 | + |
| 6 | +## TLDR |
| 7 | + |
| 8 | +Ability to express subjects and peers in (Baseline)AdminNetworkPolicy API |
| 9 | +using [Kubernetes service accounts](https://kubernetes.io/docs/concepts/security/service-accounts/). |
| 10 | + |
| 11 | +## Goals |
| 12 | + |
| 13 | +* Implement service account as a way to select pods in the policy's subject |
| 14 | +* Implement service account as a way to select pods in the policy's peers |
| 15 | + |
| 16 | +## Non-Goals |
| 17 | + |
| 18 | +* There might be other identity management constructs like SPIFFE IDs which are outside the scope of this enhancement. We can only provide a way to select constructs known to core Kubernetes. |
| 19 | + |
| 20 | +## Introduction |
| 21 | + |
| 22 | +Every pod in Kubernetes will have an associated service account. If user does not explicitly provide a service account, a default service account is created in the namespace. A given pod will always have 1 service account associated with itself. So instead of using pod labels as a way of selecting pods sometimes there might be use cases to use service accounts as a way of selecting the pods. This NPEP tries to capture the design details for service accounts as selectors for policies. |
| 23 | + |
| 24 | +## User-Stories/Use-Cases |
| 25 | + |
| 26 | +1. **As a** cluster admin **I want** to select pods using their service accounts instead of labels **so that** I can avoid having to setup webhooks and validation admission policies to prevent users from changing labels on their namespaces and pods that will make my policy start/stop matching the traffic which is undesired |
| 27 | +2. **As a** cluster admin **I want** to select pods using their service accounts instead of labels **so that** I can avoid the scale impact caused due to mutation of pod/namespace labels that will cause a churn which makes my CNI implementation react to that every time user changes a label. |
| 28 | +3. **As a** cluster admin **I want** to select pods using their service accounts instead of labels **since** I want to have eventual consistency of that policy in the cluster. I don't have a use case for dynamic selection of workloads and want to use service accounts instead of labels for that very same reason |
| 29 | + |
| 30 | +## API |
| 31 | + |
| 32 | +(... details, can point to PR with changes) |
| 33 | + |
| 34 | +## Conformance Details |
| 35 | + |
| 36 | +(This section describes the names to be used for the feature or |
| 37 | +features in conformance tests and profiles. |
| 38 | + |
| 39 | +These should be `CamelCase` names that specify the feature as |
| 40 | +precisely as possible, and are particularly important for |
| 41 | +Extended features, since they may be surfaced to users.) |
| 42 | + |
| 43 | +## Alternatives |
| 44 | + |
| 45 | +(List other design alternatives and why we did not go in that |
| 46 | +direction) |
| 47 | + |
| 48 | +## References |
| 49 | + |
| 50 | +(Add any additional document links. Again, we should try to avoid |
| 51 | +too much content not in version control to avoid broken links) |
0 commit comments