kubernetes-sigs
diff --git a/‎README.md
Lines changed: 1 addition & 1 deletion b/‎README.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎RELEASE.md
Lines changed: 92 additions & 6 deletions b/‎RELEASE.md
Lines changed: 92 additions & 6 deletions
diff --git a/‎hack/make-docs.sh
Lines changed: 2 additions & 2 deletions b/‎hack/make-docs.sh
Lines changed: 2 additions & 2 deletions
diff --git a/‎mkdocs.yml
Lines changed: 10 additions & 4 deletions b/‎mkdocs.yml
Lines changed: 10 additions & 4 deletions
diff --git a/‎site-src/guides/api-overview.md renamed to ‎site-src/api-overview.md
Lines changed: 25 additions & 17 deletions b/‎site-src/guides/api-overview.md renamed to ‎site-src/api-overview.md
Lines changed: 25 additions & 17 deletions
diff --git a/‎site-src/implementations.md
Lines changed: 16 additions & 0 deletions b/‎site-src/implementations.md
Lines changed: 16 additions & 0 deletions
diff --git a/‎site-src/index.md
Lines changed: 28 additions & 88 deletions b/‎site-src/index.md
Lines changed: 28 additions & 88 deletions
@@ -1,7 +1,7 @@
 <img src="https://github.com/kubernetes/kubernetes/raw/master/logo/logo.png" width="100">
 
 # Network Policy API
- 👋 Welcome to the Network Policy API Project - we are happy to have you here! Before you get started here are some useful links:
+  Welcome to the Network Policy API Project - we are happy to have you here! Before you get started here are some useful links:
 - [Our Website](https://network-policy-api.sigs.k8s.io/)
 - [Agenda](https://docs.google.com/document/d/1AtWQy2fNa4qXRag9cCp5_HsefD7bxKe3ea2RPn8jnSs/edit#heading=h.ajvcztp6cza)
 - [NetworkPolicy v1 Docs](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
 
@@ -1,9 +1,95 @@
 # Release Process
 
-The Kubernetes Template Project is released on an as-needed basis. The process is as follows:
+## Overview
 
-1. An issue is proposing a new release with a changelog since the last release
-1. All [OWNERS](OWNERS) must LGTM this release
-1. An OWNER runs `git tag -s $VERSION` and inserts the changelog and pushes the tag with `git push $VERSION`
-1. The release issue is closed
-1. An announcement email is sent to `[email protected]` with the subject `[ANNOUNCE] kubernetes-template-project $VERSION is released`
+The Network Policy API project is has the following two main release components:
+- Kubernetes Custom Resource Definitions (CRDs)
+- Corresponding Go API in the form of `sigs.k8s.io/network-policy-api` Go package
+
+This repository is the home for both of the above components.
+
+## Versioning strategy
+The versioning strategy for this project is covered in detail in [the release
+documentation].
+
+[the release documentation]: site-src/versioning.md
+
+## Releasing a new version
+
+### Writing a Changelog
+
+To simplify release notes generation, we recommend using the [Kubernetes release
+notes generator](https://github.com/kubernetes/release/blob/master/cmd/release-notes):
+
+```
+go install k8s.io/release/cmd/release-notes@latest
+export GITHUB_TOKEN=your_token_here
+release-notes --start-sha EXAMPLE_COMMIT --end-sha EXAMPLE_COMMIT --branch main --repo network-policy-api --org kubernetes-sigs
+```
+
+This output will likely need to be reorganized and cleaned up a bit, but it
+provides a good starting point. Once you're satisfied with the changelog, create
+a PR. This must go through the regular PR review process and get merged into the
+`main` branch. Approval of the PR indicates community consensus for a new
+release.
+
+### Release Steps
+
+The following steps must be done by one of the [network-policy API maintainers][network-policy-api-team]:
+
+For a **PATCH** release:
+- Create a new branch in your fork named something like `<githubuser>/release-x.x.x`. Use the new branch
+  in the upcoming steps.
+- Use `git` to cherry-pick all relevant PRs into your branch.
+- Update `pkg/generator/main.go` with the new semver tag and any updates to the API review URL.
+- Run the following command `BASE_REF=vmajor.minor.patch make generate` which
+  will update generated docs and webhook with the correct version info. (Note
+  that you can't test with these YAMLs yet as they contain references to
+  elements which wont exist until the tag is cut and image is promoted to
+  production registry.)
+- Create a pull request of the `<githubuser>/release-x.x.x` branch into the `release-x.x` branch upstream
+  (which should already exist since this is a patch release). Add a hold on this PR waiting for at least
+  one maintainer/codeowner to provide a `lgtm`.
+- Verify the CI tests pass and merge the PR into `release-x.x`.
+- Create a tag using the `HEAD` of the `release-x.x` branch. This can be done using the `git` CLI or
+  Github's [release][release] page.
+- Run the `make build-install-yaml` command which will generate install files in the `release/` directory.
+  Attach these files to the Github release.
+- Update the `README.md` and `site-src/guides/index.md` files to point links and examples to the new release.
+
+For a **MAJOR** or **MINOR** release:
+
+- Cut a `release-major.minor` branch that we can tag things in as needed.
+- Check out the `release-major.minor` release branch locally.
+- Update `pkg/generator/main.go` with the new semver tag and any updates to the API review URL.
+- Run the following command `BASE_REF=vmajor.minor.patch make generate` which
+  will update generated docs and webhook with the correct version info. (Note
+  that you can't test with these YAMLs yet as they contain references to
+  elements which wont exist until the tag is cut and image is promoted to
+  production registry.)
+- Verify the CI tests pass before continuing.
+- Create a tag using the `HEAD` of the `release-x.x` branch. This can be done using the `git` CLI or
+  Github's [release][release] page.
+- Run the `make build-install-yaml` command which will generate install files in the `release/` directory.
+  Attach these files to the Github release.
+- Update the `README.md` and `site-src/guides/index.md` files to point links and examples to the new release.
+
+For an **RC** release:
+
+- Update `pkg/generator/main.go` with the new semver tag and any updates to the API review URL.
+- Run the following command `BASE_REF=vmajor.minor.patch make generate` which
+  will update generated docs and webhook with the correct version info. (Note
+  that you can't test with these YAMLs yet as they contain references to
+  elements which wont exist until the tag is cut and image is promoted to
+  production registry.)
+- Include the changelog update in this PR.
+- Merge the update PR.
+- Tag the release using the commit on `main` where the changelog update merged.
+  This can  be done using the `git` CLI or Github's [release][release]
+  page.
+- Run the `make build-install-yaml` command which will generate
+  install files in the `release/` directory.
+- Attach these files to the Github release.
+
+[release]: https://github.com/kubernetes-sigs/network-policy-api/releases
+[network-policy-api-team]: https://github.com/kubernetes/org/blob/main/config/kubernetes-sigs/sig-network/teams.yaml
@@ -37,5 +37,5 @@ mkdocs build
 # Generate v1alpha2 API docs
 ./hack/api-docs/generate.sh site/spec.html
 # Add them to spec page originally generated by mkdocs
-run::sed -e '/REPLACE_WITH_GENERATED_CONTENT/{r site/spec.html' -e 'd;}' site/references/spec/index.html
-run::sed -e '/REPLACE_WITH_GENERATED_CONTENT/{r site/spec.html' -e 'd;}' site/references/spec/index.html
+run::sed -e '/REPLACE_WITH_GENERATED_CONTENT/{r site/spec.html' -e 'd;}' site/reference/spec/index.html
+run::sed -e '/REPLACE_WITH_GENERATED_CONTENT/{r site/spec.html' -e 'd;}' site/reference/spec/index.html
@@ -1,4 +1,4 @@
-site_name: Kubernetes AdminNetworkPolicy API
+site_name: Network Policy API
 repo_url: https://github.com/kubernetes-sigs/network-policy-api
 repo_name: kubernetes-sigs/network-policy-api
 site_dir: site
@@ -34,10 +34,16 @@ markdown_extensions:
       permalink: true
 nav:
   - Introduction: index.md
-  - API overview: guides/api-overview.md
-  - Examples: guides/examples.md
+  - Overview:
+    - User Stories: user-stories.md
+    - Resources: api-overview.md
+    - Versioning: versioning.md
+    - Implementations: implementations.md
   - Reference:
-    - API specification: references/spec.md
+    - Examples: reference/examples.md
+    - API Reference: reference/spec.md
+
+
 # (TODO)
 #  - Implementation Guidelines: concepts/guidelines.md
 #  - Versioning: concepts/versioning.md
 
@@ -1,13 +1,16 @@
-## API overview
+# Api Object Overview
 
-Prior to the AdminNetworkPolicy API there was no native tooling for Cluster Admins
-to apply security rules in a cluster-wide manner, and in some cases Network Policies
-were being incorrectly used to do so, creating a complex web of objects to be
-maintained.
+Prior to the Network Policy API the original NetworkPolicy Resource was the only
+way for k8s users to apply security rules to their kubernetes workloads. One of the
+main drawbacks to this API was that it was designed exclusively for use by the
+Application Developer, although in reality it is used by many different cluster
+personas, sometimes creating a complex web of objects to be maintained. In
+Contrast, each resource in the Network Policy API is designed to be used by a
+specific persona.
 
-With the advent of the AdminNetworkPolicy API Cluster Admins will now have the 
-ability to apply policy on in-cluster workloads with only a few simple policy 
-objects that can be applied globally.
+With the advent of the AdminNetworkPolicy and BaselineAdminNetworkPolicy
+resources Cluster Admins will now have the ability to apply policy on in-cluster
+workloads with only a few simple policy objects that can be applied globally.
 
 ## Roles and personas
 
@@ -17,9 +20,14 @@ In this documentation we refer to three primary personas:
 - Namespace Administrator
 - Cluster Administrator
 
-## Resource Model 
+## Resource Model
 
-There are two main objects in the AdminNetworkPolicy API resource model
+!!! note
+    Network Policy API resources are in the `policy.networking.k8s.io` API group as
+    Custom Resource Definitions (CRDs). Unqualified resource names below will
+    implicitly be in this API group.
+
+Currently, there are two main objects in the Network Policy API resource model:
 
 - **AdminNetworkPolicy (ANP)**
 
@@ -31,18 +39,18 @@ There are two main objects in the AdminNetworkPolicy API resource model
 be read as-is, i.e. there will not be any implicit isolation effects for the Pods
 selected by the AdminNetworkPolicy, as opposed to what NetworkPolicy rules imply.
 
-- As of `v1alpha1` of this API we focus primarily on E/W cluster traffic and 
-do not address N/S (Ingress/Egress) use cases. However this is an issue the community 
-would like to keep thinking about during further iterations, and a tracking issue 
+- As of `v1alpha1` of this API we focus primarily on E/W cluster traffic and
+do not address N/S (Ingress/Egress) use cases. However this is an issue the community
+would like to keep thinking about during further iterations, and a tracking issue
 can be found/ commented on here ---> [issue #28](https://github.com/kubernetes-sigs/network-policy-api/issues/28)
 
-## The AdminNetworkPolicy Resource 
+## The AdminNetworkPolicy Resource
 
-The AdminNetworkPolicy (ANP) resource will help administrators set strict security 
-rules for the cluster, i.e. a developer CANNOT override these rules by creating 
+The AdminNetworkPolicy (ANP) resource will help administrators set strict security
+rules for the cluster, i.e. a developer CANNOT override these rules by creating
 NetworkPolicies that apply to the same workloads as the AdminNetworkPolicy.
 
-### AdminNetworkPolicy Actions 
+### AdminNetworkPolicy Actions
 
 Unlike the NetworkPolicy resource in which each rule represents an allowed
 traffic, AdminNetworkPolicies will enable administrators to set `Pass`,
 
@@ -0,0 +1,16 @@
+# Implementations
+
+This document tracks downstream(actual and planned) implementations of
+Network Policy API resources and provides status and resource references for them.
+
+Implementors of Network Policy API resources are encouraged to update this document with status information about their
+implementations, the versions they cover, and documentation to help users get started.
+
+## AdminNetworkPolicy and BaseLineAdminNetworkPolicy
+
+Updated: 05-08-2023
+
+- [Ovn-Kubernetes CNI](https://github.com/ovn-org/ovn-kubernetes/pull/3489) (work in progress)
+- [Antrea CNI](https://github.com/antrea-io/antrea/pull/4537) (work in progress)
+- [Cilium CNI](https://github.com/cilium/cilium/issues/23380) (tracking issue)
+- [Calico CNI](https://github.com/projectcalico/calico/issues/7578) (tracking issue)
@@ -1,102 +1,42 @@
-## What is the AdminNetworkPolicy API?
+# Network Policy API Working Group
+ 👋 Welcome to the Network Policy API Project - we are happy to have you here! Before you get started here are some useful links:
+- [Bi-Weekly Meeting Agenda](https://docs.google.com/document/d/1AtWQy2fNa4qXRag9cCp5_HsefD7bxKe3ea2RPn8jnSs/edit#heading=h.ajvcztp6cza)
+- [NetworkPolicy v1 Docs](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
 
-The AdminNetworkPolicy API is an open source project managed by the [SIG-NETWORK][sig-network]
-community. It is a collection of resources, which aim to make securing Kubernetes 
-clusters easier for Administrators.  
+## What is the Network Policy API Project?
 
-![Gateway API Model](./images/ANP-api-model.png)
+The network policy API subgroup is a part of [SIG Network](https://github.com/kubernetes/community/tree/master/sig-network),
+formed to address further work involving Kubernetes network security beyond the core NetworkPolicy v1 resource.
+The [`network-policy-api`](https://github.com/kubernetes-sigs/network-policy-api/) repository contains APIs which are
+created and maintained by this subgroup.
 
-## Getting started
+## APIs
 
-Whether you are a user interested in using the AdminNetworkPolicy API or an implementer 
-interested in conforming to the API, the following resources will help give 
-you the necessary background:
+We refer to "APIs" in the plural here because this project will house
+multiple K8s CRD resources geared towards different users and use cases.
 
-- [API overview](/guides/api-overview)
-- [Examples](/guides/examples)
-- [API Source](https://github.com/kubernetes-sigs/network-policy-api/tree/master/apis/v1alpha1)
+### Active (APIs undergoing active development)
 
+- [AdminNetworkPolicy](api-overview.md#the-adminnetworkpolicy-resource) and [BaselineAdminNetworkPolicy](api-overview.md#the-baselineadminnetworkpolicy-resource)
 
-## AdminNetworkPolicy API User Stories
+### Future (Possible APIs to be created in the future)
 
-The following user stories drive the concepts of the AdminNetworkPolicy API for the 
-`v1alpha1` version of the api. More information on how the community ended up here 
-can be found in the [API KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/2091-admin-network-policy)
-and in the accompanying [KEP PR](https://github.com/kubernetes/enhancements/pull/2522)
+- DeveloperNetworkPolicy
 
-Future API developments should all start with a **well-defined** and **intentional** 
-user story.
+## Outreach
 
-### Story 1: Deny traffic at a cluster level
+- [Kubecon NA 2022 Contributors Summit](https://youtu.be/00nVssi2oPA)
+- [Kubecon NA 2022 SIG Network Deep Dive](https://www.youtube.com/watch?v=qn9bM5Cwvg0&t=752s)
+- [Kubecon NA 2023 SIG Network Deep Dive](https://www.youtube.com/watch?v=0uPEFcWn-_o)
 
-As a cluster admin, I want to apply non-overridable deny rules
-to certain pod(s) and(or) Namespace(s) that isolate the selected
-resources from all other cluster internal traffic.
+## Community, discussion, contribution, and support
+Learn how to engage with the Kubernetes community on the [community page](http://kubernetes.io/community/).
 
-For Example: In this diagram there is a AdminNetworkPolicy applied to the
-`sensitive-ns` denying ingress from all other in-cluster resources for all
-ports and protocols.
+You can reach the maintainers of this project at:
+- [Slack](https://kubernetes.slack.com/messages/sig-network-policy-api)
+- [Mailing List](https://groups.google.com/forum/#!forum/kubernetes-sig-network)
 
-![Alt text](./images/explicit_deny.png?raw=true "Explicit Deny")
-
-### Story 2: Allow traffic at a cluster level
-
-As a cluster admin, I want to apply non-overridable allow rules to  
-certain pods(s) and(or) Namespace(s) that enable the selected resources
-to communicate with all other cluster internal entities.  
-
-For Example: In this diagram there is a AdminNetworkPolicy applied to every
-namespace in the cluster allowing egress traffic to `kube-dns` pods, and ingress
-traffic from pods in `monitoring-ns` for all ports and protocols.
-
-![Alt text](./images/explicit_allow.png?raw=true "Explicit Allow")
-
-### Story 3: Explicitly Delegate traffic to existing K8s Network Policy
-
-As a cluster admin, I want to explicitly delegate traffic so that it
-skips any remaining cluster network policies and is handled by standard
-namespace scoped network policies.
-
-For Example: In the diagram below egress traffic destined for the service svc-pub
-in namespace bar-ns-1 on TCP port 8080 is delegated to the k8s network policies
-implemented in foo-ns-1 and foo-ns-2. If no k8s network policies touch the
-delegated traffic the traffic will be allowed.
-
-![Alt text](./images/delegation.png?raw=true "Delegate")
-
-### Story 4: Create and Isolate multiple tenants in a cluster
-
-As a cluster admin, I want to build tenants in my cluster that are isolated from
-each other by default. Tenancy may be modeled as 1:1, where 1 tenant is mapped
-to a single Namespace, or 1:n, where a single tenant may own more than 1 Namespace.
-
-For Example: In the diagram below two tenants (Foo and Bar) are defined such that
-all ingress traffic is denied to either tenant.  
-
-![Alt text](./images/tenants.png?raw=true "Tenants")
-
-### Story 5: Cluster Wide Default Guardrails
-
-As a cluster admin I want to change the default security model for my cluster,
-so that all intra-cluster traffic (except for certain essential traffic) is
-blocked by default. Namespace owners will need to use NetworkPolicies to
-explicitly allow known traffic. This follows a whitelist model which is
-familiar to many security administrators, and similar
-to how [kubernetes suggests network policy be used](https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-policies).
-
-For Example: In the following diagram all Ingress traffic to every cluster
-resource is denied by a baseline deny rule.
-
-![Alt text](./images/baseline.png?raw=true "Default Rules")
-
-## Who is working on AdminNetworkPolicy?
-
-The AdminNetworkPolicy API is a
-[SIG-Network](https://github.com/kubernetes/community/tree/master/sig-network)
-project being built to improve and standardize cluster-wide security policy in k8s. In-progress implementations include Antrea (VMware) and Openshift (RedHat),
-If you are interested in contributing to or
-building an implementation using the AdminNetworkPolicy API then don’t hesitate to [get
-involved!](/contributing/community)
-
-[sig-network]: https://github.com/kubernetes/community/tree/master/sig-network
+To get started contributing please take time to read over the [contributing guidelines](https://github.com/kubernetes-sigs/network-policy-api/blob/master/CONTRIBUTING.md) as well as the [developer guide](https://github.com/kubernetes/community/blob/master/contributors/devel/README.md). You can then take a look at the open issues labelled 'good-first-issue' [here](https://github.com/kubernetes-sigs/network-policy-api/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22).
 
+### Code of conduct
+Participation in the Kubernetes community is governed by the [Kubernetes Code of Conduct](code-of-conduct.md).