|
| 1 | +## API overview |
| 2 | + |
| 3 | +Prior to the AdminNetworkPolicy API there was no native tooling for Cluster Admins |
| 4 | +to apply security rules in a cluster-wide manner, and in some cases Network Policies |
| 5 | +were being incorrectly used to do so, creating a complex web of objects to be |
| 6 | +maintained. |
| 7 | + |
| 8 | +With the advent of the AdminNetworkPolicy API Cluster Admins will now have the |
| 9 | +ability to apply policy on in-cluster workloads with only a few simple policy |
| 10 | +objects that can be applied globally. |
| 11 | + |
| 12 | +## Roles and personas |
| 13 | + |
| 14 | +In this documentation we refer to three primary personas: |
| 15 | + |
| 16 | +- Application Developer |
| 17 | +- Namespace Administrator |
| 18 | +- Cluster Administrator |
| 19 | + |
| 20 | +## Resource Model |
| 21 | + |
| 22 | +There are two main objects in the AdminNetworkPolicy API resource model |
| 23 | + |
| 24 | +- **AdminNetworkPolicy (ANP)** |
| 25 | + |
| 26 | +- **BaselineAdminNetworkPolicy (BANP)** |
| 27 | + |
| 28 | +## General Notes |
| 29 | + |
| 30 | +- Any well defined AdminNetworkPolicy rules should |
| 31 | +be read as-is, i.e. there will not be any implicit isolation effects for the Pods |
| 32 | +selected by the AdminNetworkPolicy, as opposed to what NetworkPolicy rules imply. |
| 33 | + |
| 34 | +- As of `v1alpha1` of this API we focus primarily on E/W cluster traffic and |
| 35 | +do not address N/S (Ingress/Egress) use cases. However this is an issue the community |
| 36 | +would like to keep thinking about during further iterations, and a tracking issue |
| 37 | +can be found/ commented on here ---> [issue #28](https://github.com/kubernetes-sigs/network-policy-api/issues/28) |
| 38 | + |
| 39 | +## The AdminNetworkPolicy Resource |
| 40 | + |
| 41 | +The AdminNetworkPolicy (ANP) resource will help administrators set strict security |
| 42 | +rules for the cluster, i.e. a developer CANNOT override these rules by creating |
| 43 | +NetworkPolicies that apply to the same workloads as the AdminNetworkPolicy. |
| 44 | + |
| 45 | +### AdminNetworkPolicy Actions |
| 46 | + |
| 47 | +Unlike the NetworkPolicy resource in which each rule represents an allowed |
| 48 | +traffic, AdminNetworkPolicies will enable administrators to set `Pass`, |
| 49 | +`Deny` or `Allow` as the action of each rule. AdminNetworkPolicy rules should |
| 50 | +be read as-is, i.e. there will not be any implicit isolation effects for the Pods |
| 51 | +selected by the AdminNetworkPolicy, as opposed to implicit deny NetworkPolicy rules imply. |
| 52 | + |
| 53 | +- **Pass**: Traffic that matches a `Pass` rule will skip all further rules from all |
| 54 | + numbered ANPs and instead be enforced by the K8s NetworkPolicies. |
| 55 | + If there is no K8s NetworkPolicy of BaselineAdminNetworkPolicy rule match |
| 56 | + match, traffic will be governed by the implementation. For most implementations, |
| 57 | + this means "allow", but there may be implementations which have their own policies |
| 58 | + outside of the standard Kubernetes APIs. |
| 59 | +- **Deny**: Traffic that matches a `Deny` rule will be dropped. |
| 60 | +- **Allow**: Traffic that matches an `Allow` rule will be allowed. |
| 61 | + |
| 62 | +AdminNetworkPolicy `Deny` rules are useful for administrators to explicitly |
| 63 | +block traffic with malicious in-cluster clients, or workloads that pose security risks. |
| 64 | +Those traffic restrictions can only be lifted once the `Deny` rules are deleted, |
| 65 | +modified by the admin, or overridden by a higher priority rule. |
| 66 | + |
| 67 | +On the other hand, the `Allow` rules can be used to call out traffic in the cluster |
| 68 | +that needs to be allowed for certain components to work as expected (egress to |
| 69 | +CoreDNS for example). Those traffic should not be blocked when developers apply |
| 70 | +NetworkPolicy to their Namespaces which isolates the workloads. |
| 71 | + |
| 72 | +AdminNetworkPolicy `Pass` rules allows an admin to delegate security posture for |
| 73 | +certain traffic to the Namespace owners by overriding any lower precedence Allow |
| 74 | +or Deny rules. For example, intra-tenant traffic management can be delegated to tenant |
| 75 | +admins explicitly with the use of `Pass` rules. More specifically traffic selected |
| 76 | +by a `Pass` rule will skip any further ANP rule selection, be evaluated against |
| 77 | +any well defined NetworkPolicies, and if not terminated ultimately be evaluated against any |
| 78 | +BaselineAdminNetworkPolicies. |
| 79 | + |
| 80 | +### AdminNetworkPolicy Priorities |
| 81 | + |
| 82 | +Integer priority values were added to the AdminNetworkPolicy API to allow Cluster |
| 83 | +Admins to express direct and intentional ordering between various ANP Objects. |
| 84 | +The `Priority` field in the ANP spec is defined as an integer value |
| 85 | +within the range 0 to 1000 where rules with lower priority values have higher |
| 86 | +precedence. Regardless of priority value all ANPs have higher precedence than |
| 87 | +any defined NetworkPolicy or BaselineAdminNetworkPolicy objects. |
| 88 | + |
| 89 | +### AdminNetworkPolicy Rules |
| 90 | + |
| 91 | +Each ANP should define at least one `Ingress` or `Egress` relevant in-cluster traffic flows. |
| 92 | +and the Actions that should take place for those flows. In each `gress` rule the user |
| 93 | +should AT THE MINIMUM define an `Action`, and at least one `AdminNetworkPolicyPeer`. |
| 94 | +Optionally the user may also define select `Ports` to filter traffic on and also |
| 95 | +a name for each rule to make management/ reporting easier for Admins. |
| 96 | + |
| 97 | +### AdminNetworkPolicy Status |
| 98 | + |
| 99 | +For `v1alpha1` of this API the ANP status field is simply defined as a list of |
| 100 | +[`metav1.condition`](https://github.com/kubernetes/apimachinery/blob/v0.25.0/pkg/apis/meta/v1/types.go#L1464)s. Currently there are no rule as to what these conditions should display, |
| 101 | +and it is up to each implementation to report what they see fit. For further |
| 102 | +API iterations the community may consider standardizing these conditions based on |
| 103 | +the usefulness they provide for various implementors. |
| 104 | + |
| 105 | +## The BaselineAdminNetworkPolicy Resource |
| 106 | + |
| 107 | +The BaselineAdminNetworkPolicy (BANP) resource will allow administrators to |
| 108 | +set baseline security rules that describes default connectivity for cluster workloads, |
| 109 | +which CAN be overridden by developer NetworkPolicies if needed. The major use case |
| 110 | +BANPs solve is the ability to flip the [default security stance of the |
| 111 | +cluster](../index.md#story-5-cluster-wide-default-guardrails). |
| 112 | + |
| 113 | +### BaselineAdminNetworkPolicy Rule Actions |
| 114 | + |
| 115 | +BaselineAdminNetworkPolicies allow administrators to define two distinct actions |
| 116 | +for each well defined rule, `Allow` and `Deny`. |
| 117 | + |
| 118 | +- **Deny**: Traffic that matches a `Deny` rule will be dropped. |
| 119 | +- **Allow**: Traffic that matches an `Allow` rule will be allowed. |
| 120 | + |
| 121 | +### BaselineAdminNetworkPolicy Rules |
| 122 | + |
| 123 | +BANP Rules are defined and behave the same (Except for the `Pass` action) as [ANP |
| 124 | +rules](#adminnetworkpolicy-rules). |
| 125 | + |
| 126 | +### BaselineAdminNetworkPolicy Status |
| 127 | + |
| 128 | +The BANP `status` field follows the same constructs as used by the |
| 129 | +[AdminNetworkPolicy.Status](#adminnetworkpolicy-status) field. |
0 commit comments