Skip to content

NPEP-248: Add match all to ingress/egress peers #339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

NPEP-248: Add match all to ingress/egress peers #339

wants to merge 2 commits into from
+275 −0

Conversation

@fasaxc
Copy link
Contributor

@fasaxc fasaxc commented Oct 27, 2025
edited
Loading

Attempt to tackle #248 by adding an explicit match all operator to peer objects.

@fasaxc
NPEP-248: Match all
c1f41f1 
Attempt to tackly kubernetes-sigs#248 by adding an explicit match all operator
to peer objects.
@netlify
Copy link

netlify bot commented Oct 27, 2025
edited
Loading

Deploy Preview for kubernetes-sigs-network-policy-api ready!

Name Link
🔨 Latest commit 199d6ba
🔍 Latest deploy log https://app.netlify.com/projects/kubernetes-sigs-network-policy-api/deploys/6900944d6b064f0008b5853c
😎 Deploy Preview https://deploy-preview-339--kubernetes-sigs-network-policy-api.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Oct 27, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fasaxc
Once this PR has been reviewed and has the lgtm label, please assign danwinship for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested a review from aojea October 27, 2025 18:25
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 27, 2025
@k8s-ci-robot k8s-ci-robot requested a review from tssurya October 27, 2025 18:25
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Oct 27, 2025
@fasaxc fasaxc changed the title NPEP-248: Match all NPEP-248: Add match all to ingress/egress peers Oct 27, 2025
Dyanngg
Dyanngg reviewed Nov 3, 2025
View reviewed changes
npeps/npep-248-match-all.md
to add new fields inside the struct later without a breaking change. "Old"
implementations won't see the new fields, and they'd act like they weren't present.

I think this is OK in this unique case because "all" is naturally a unique "top"
Copy link
Contributor

@Dyanngg Dyanngg Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you thought about how the API could evolve to cover the "deny all UDP traffic" case?

Copy link
Contributor Author

@fasaxc fasaxc Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

deny all UDP traffic

Can already be expressed by saying "deny UDP ports 1-65535". In general, you can already pick out the parts of the Venn diagram, but what was missing was a way to say "just match it all, don't restrict"

npeps/npep-248-match-all.md
- all: {}
```

Then, via to-be-written controller, we auto-generate a higher precedence policy per unique tenant
Copy link
Contributor

@Dyanngg Dyanngg Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the implementations/end-users expected to write such a controller or do we plan to include something in this repo?

Copy link
Contributor Author

@fasaxc fasaxc Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've discussed writing such a controller as a way to prove out tenancy. Then, either that becomes the answer or the templating mechanism gets absorbed into the vendor implementations once we're happy with it. This section was mainly to say "this feature fits in with what we discussed about tenancy", not to commit us to that tenancy path.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Dyanngg Dyanngg Dyanngg left review comments

@aojea aojea Awaiting requested review from aojea

@tssurya tssurya Awaiting requested review from tssurya

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fasaxc @k8s-ci-robot @Dyanngg