|
| 1 | +# NPEP-126: Add northbound traffic support in (B)ANP API |
| 2 | + |
| 3 | +* Issue: [#126](https://github.com/kubernetes-sigs/network-policy-api/issues/126) |
| 4 | +* Status: Provisional |
| 5 | + |
| 6 | +## TLDR |
| 7 | + |
| 8 | +This NPEP proposes adding support for cluster egress (northbound) traffic control |
| 9 | +in the `AdminNetworkPolicy` and `BaselineAdminNetworkPolicy` API objects. |
| 10 | + |
| 11 | +## Goals |
| 12 | + |
| 13 | +* Implement egress traffic control towards external destinations (outside the cluster) |
| 14 | +* Implement egress traffic control towards cluster nodes |
| 15 | + - Currently the behaviour for policies defined around traffic from cluster |
| 16 | + workloads (non-hostNetworked pods) towards nodes in the |
| 17 | + cluster is undefined. See https://github.com/kubernetes-sigs/network-policy-api/issues/73. |
| 18 | + - ANP currently supports only east-west traffic and this traffic flow cuts from |
| 19 | + overlay to underlay which makes this part of the egress (northbound) use case. |
| 20 | + - Let's provide a defined behaviour in ANP to explicitly achieve the use case. |
| 21 | + - NOTE: Traffic towards nodes here includes traffic towards host-networked pods on that node |
| 22 | + because a "node" resource encompasses all objects that share the host-networking resources |
| 23 | +* Implement egress traffic control towards k8s-apiservers |
| 24 | + - An apiserver endpoint in this context is special in the sense that it can be any entity |
| 25 | + including but not limited to a host-networked pod within the cluster OR external VMs OR |
| 26 | + infrastructure nodes running outside the cluster. This is why its a separate category goal. |
| 27 | + |
| 28 | +## Non-Goals |
| 29 | + |
| 30 | +* Implementing southbound (ingress) traffic use cases is outside the scope of this NPEP |
| 31 | +* Implementing egress traffic control towards arbitrary hostNetworked pods is outside the scope of this NPEP |
| 32 | + - Currently the behaviour for policies defined around traffic from cluster |
| 33 | + workloads (non-hostNetworked pods) towards hostNetworked pods in the |
| 34 | + cluster is undefined. See https://github.com/kubernetes-sigs/network-policy-api/issues/73. |
| 35 | + - ANP currently supports only east-west traffic and this traffic flow cuts from |
| 36 | + overlay to underlay which makes this part of the egress (northbound) use case. |
| 37 | + - NOTE: Currently there are no user stories for `CNI pod to arbitrarily chosen hostNetworked pods`. |
| 38 | + Let's provide a defined behaviour in ANP to explicitly achieve the use case in the future if we have |
| 39 | + user stories for this outside of the k8s-apiserver usecase which is already covered in the goals. |
| 40 | + If that happens, this can be moved to goals. |
| 41 | + |
| 42 | +## Introduction |
| 43 | + |
| 44 | +### User Stories for egress traffic control towards external destinations |
| 45 | + |
| 46 | +1. **As a** cluster administrator **I want** to restrict traffic from |
| 47 | +specific cluster workloads to all or specific destinations outside the |
| 48 | +cluster **so that** I can enforce security for northbound traffic. |
| 49 | +Example: Pods in namespaceA and namespaceB should not be able to talk |
| 50 | +to the internet but they should be able to access company's intranet. |
| 51 | + |
| 52 | +2. **As a** cluster administrator **I want** to to ensure that pods can |
| 53 | +reach my cluster-external DNS server even if namespace admins create |
| 54 | +NetworkPolicies that block cluster-external egress. |
| 55 | +Example: As an owner of namespaceA I define policies that deny all |
| 56 | +northbound egress traffic for that namespace. However the cluster-admin |
| 57 | +can decide all namespaces in the cluster must be able to talk to the |
| 58 | +EXTERNAL_DNS_SERVER_IP on port 53. |
| 59 | + |
| 60 | +### User Stories for egress traffic control towards cluster nodes |
| 61 | + |
| 62 | +1. **As a** cluster administrator **I want** to easily block access from |
| 63 | +cluster workloads to specific ports on cluster nodes without having to block |
| 64 | +access to those ports on external hosts, without having to manually list |
| 65 | +the IP address of every node, and without having to change the policy when |
| 66 | +new nodes are added to the cluster. |
| 67 | + |
| 68 | +### User Stories for egress traffic control towards k8s-apiservers |
| 69 | + |
| 70 | +1. **As a** cluster administrator **I want** to easily allow access to |
| 71 | +k8s-apiservers from cluster workloads when there are other deny rules in place |
| 72 | +for these workloads. |
| 73 | + |
| 74 | +2. **As a** cluster administrator **I want** to easily block access from |
| 75 | +selected cluster workloads to k8s-apiservers for securing the server. |
| 76 | + |
| 77 | +## API |
| 78 | + |
| 79 | +(... details, can point to PR with changes) |
| 80 | + |
| 81 | + |
| 82 | +## Alternatives |
| 83 | + |
| 84 | +(List other design alternatives and why we did not go in that |
| 85 | +direction) |
| 86 | + |
| 87 | +## References |
| 88 | + |
| 89 | +* https://github.com/danwinship/enhancements/blob/cluster-egress-firewall/keps/sig-network/20190917-cluster-egress-firewall.md#blocking-access-to-services-used-by-the-node |
| 90 | +* https://github.com/kubernetes-sigs/network-policy-api/pull/86 |
0 commit comments