|
| 1 | +# NPEP-95: NPEP template |
| 2 | + |
| 3 | +* Issue: [#230](https://github.com/kubernetes-sigs/network-policy-api/issues/230) |
| 4 | +* Status: Provisional |
| 5 | + |
| 6 | +## TLDR |
| 7 | + |
| 8 | +Add dry-run mode for (B)ANP to allow "disabling" policies without deleting them. |
| 9 | +This should allow implementations add extra audit/monitoring/logging capabilities on top of this feature. |
| 10 | + |
| 11 | +## Goals |
| 12 | + |
| 13 | +A dry-run mode should not affect any connections, and allow the networking plugin to provide feedback |
| 14 | +(e.g. via logging or observability tools) to see which connections will be dropped/allowed once this (B)ANP is enforced. |
| 15 | + |
| 16 | +## Non-Goals |
| 17 | + |
| 18 | +Define exact logging/observability formats for network plugins. |
| 19 | + |
| 20 | +## Introduction |
| 21 | + |
| 22 | +Users may want to ensure no unexpected connections will be denied by a new (B)ANP. |
| 23 | +A dry-run mode should not affect any connections, and allow the networking plugin to provide feedback |
| 24 | +(e.g. via logging or observability tools) to see which connections will be dropped/allowed once this (B)ANP is enforced. |
| 25 | + |
| 26 | +## User-Stories/Use-Cases |
| 27 | + |
| 28 | +As a cluster admin, I am designing new ANPs for my cluster and want to make sure applying them won't |
| 29 | +have any unexpected effects. To do so, I want to apply ANPs in a dry-run mode and get feedback from the network |
| 30 | +plugin on which connections would be dropped/allowed. |
| 31 | + |
| 32 | +As a cluster admin, I want to get feedback from the network plugin for currently allowed/denied connections |
| 33 | +with (B)ANP. |
| 34 | +This one needs more discussion as it is already do-able with extra labels/annotations, because adding |
| 35 | +logging/audit/observability while enforcing (B)ANP is a side effect and doesn't break (B)ANP semantics. |
| 36 | +But since we are considering adding a new flag, it may be useful to add this option with vague description, like |
| 37 | +"Enables logging/audit/observability as defined by the networking plugin. May also have no effect is the plugin doesn't support it." |
| 38 | + |
| 39 | +## API |
| 40 | + |
| 41 | +(... details, can point to PR with changes) |
| 42 | + |
| 43 | +## Conformance Details |
| 44 | + |
| 45 | +(This section describes the names to be used for the feature or |
| 46 | +features in conformance tests and profiles. |
| 47 | + |
| 48 | +These should be `CamelCase` names that specify the feature as |
| 49 | +precisely as possible, and are particularly important for |
| 50 | +Extended features, since they may be surfaced to users.) |
| 51 | + |
| 52 | +## Alternatives |
| 53 | + |
| 54 | +- Use Policy Assistant https://github.com/kubernetes-sigs/network-policy-api/issues/221, may have some limitations. Needs additional discussion. |
| 55 | +- Leave it to be implementation-specific. This required a copy of ANP CRD that changes behaviour (doesn't really apply) with dry-run flag. |
| 56 | + |
| 57 | +## References |
| 58 | + |
| 59 | +Similar features: |
| 60 | +- calico: https://docs.tigera.io/calico-cloud/network-policy/staged-network-policies |
| 61 | +- cilium Issue: https://github.com/cilium/cilium/issues/9580 |
| 62 | + |
0 commit comments