Add IPBlock to Network Policy #50033
Conversation
cmluciano
added
the
sig/network
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
kind/api-change
cmluciano
force-pushed
the
cml/addnpcidrselector
branch
from
7c5094e to
7ad35fb
Compare
|
I'm not sure if I generated the code improperly. The build failures are a bit cryptic to me. |
cmluciano
force-pushed
the
cml/addnpcidrselector
branch
from
7ad35fb to
f3b9bc4
Compare
k8s-github-robot
added
size/XL
|
@kubernetes/sig-api-machinery-misc Can anyone help diagnose what I'm failing to run/add here? |
k8s-ci-robot
added
the
sig/api-machinery
|
What is the use case for the selector semantic here, vs simply "from cidr". Can you show concretely how this is to be used that can't be solved by simpler? This backdoor-introduces "deny" logic, and I worry that this turns into a firewall. |
|
This was based on conversations in #49978 (comment) about how to implement the deny-type of wording. I went with this since it matched current styles for podSelectors. |
|
@thockin I expressed similar concern. The reasoning is documented in this discussion: #49978 (comment) The TL;DR is that some users want to allow traffic to/from a set of IPs that doesn't cleanly align with a single CIDR. e.g. "allow from everywhere in 192.168.0.0/16 except for 192.168.8.0/24" To reiterate my stance from the other thread:
|
|
I'll go read the context (sorry). I find this to be pretty obtuse, myself.
…On Fri, Aug 11, 2017 at 3:50 PM, Casey Davenport ***@***.***> wrote:
@thockin <https://github.com/thockin> I expressed similar concern. The
reasoning is documented in this discussion: #49978 (comment)
<#49978 (comment)>
The TL;DR is that some users want to allow traffic to/from a set of IPs
that doesn't cleanly align with a single CIDR.
e.g. "allow from everywhere in 192.168.0.0/16 except for 192.168.8.0/24"
To reiterate my stance from the other thread:
- I'd much much prefer a simple CIDR field
- This is a bit more flexible (also more confusing), and it's easy for
us to implement at least so I won't fight it tooth-and-nail.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#50033 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVP-aZrrSFO2eamyz9rGZVHo0T4lzks5sXNqqgaJpZM4OrfNl>
.
|
|
Will comment there.
…On Fri, Aug 11, 2017 at 3:52 PM, Tim Hockin ***@***.***> wrote:
I'll go read the context (sorry). I find this to be pretty obtuse,
myself.
On Fri, Aug 11, 2017 at 3:50 PM, Casey Davenport ***@***.***
> wrote:
> @thockin <https://github.com/thockin> I expressed similar concern. The
> reasoning is documented in this discussion: #49978 (comment)
> <#49978 (comment)>
>
> The TL;DR is that some users want to allow traffic to/from a set of IPs
> that doesn't cleanly align with a single CIDR.
>
> e.g. "allow from everywhere in 192.168.0.0/16 except for 192.168.8.0/24"
>
> To reiterate my stance from the other thread:
>
> - I'd much much prefer a simple CIDR field
> - This is a bit more flexible (also more confusing), and it's easy
> for us to implement at least so I won't fight it tooth-and-nail.
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#50033 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AFVgVP-aZrrSFO2eamyz9rGZVHo0T4lzks5sXNqqgaJpZM4OrfNl>
> .
>
|
cmluciano
force-pushed
the
cml/addnpcidrselector
branch
from
f3b9bc4 to
66d2516
Compare
k8s-github-robot
added
size/L
cmluciano
force-pushed
the
cml/addnpcidrselector
branch
from
66d2516 to
f1fe142
Compare
|
I think my test failures are caused by the v1beta code not converting or dropping the new ipBlock field. @thockin @sttts Does the conversion code under pkg/apis/extensions/conversion.go persist for one more release? |
|
We have to keep v1b1 for another release.
…On Wed, Aug 16, 2017 at 1:32 PM, cmluciano ***@***.***> wrote:
I think my test failures are caused by the v1beta code not converting or
dropping the new ipBlock field.
@thockin <https://github.com/thockin> @sttts <https://github.com/sttts>
Does the conversion code under pkg/apis/extensions/conversion.go
<https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/extensions/v1beta1/conversion.go>
persist for one more release?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#50033 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVKER1t8WOHu4uRTQWxXFbBbkHC51ks5sY1HdgaJpZM4OrfNl>
.
|
|
Ping me when ready for review.
…On Wed, Aug 16, 2017 at 9:56 PM, Tim Hockin ***@***.***> wrote:
We have to keep v1b1 for another release.
On Wed, Aug 16, 2017 at 1:32 PM, cmluciano ***@***.***>
wrote:
> I think my test failures are caused by the v1beta code not converting or
> dropping the new ipBlock field.
>
> @thockin <https://github.com/thockin> @sttts <https://github.com/sttts>
> Does the conversion code under pkg/apis/extensions/conversion.go
> <https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/extensions/v1beta1/conversion.go>
> persist for one more release?
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#50033 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AFVgVKER1t8WOHu4uRTQWxXFbBbkHC51ks5sY1HdgaJpZM4OrfNl>
> .
>
|
cmluciano
force-pushed
the
cml/addnpcidrselector
branch
from
f1fe142 to
cbbd2e6
Compare
pkg/apis/networking/types.go
Outdated
| type CIDR string | ||
|
|
||
| // Except is a slice of CIDRs to not include within an IpBlockRule | ||
| type Except []string |
There was a problem hiding this comment.
You're not using either the CIDR type or the Except type. (IpBlockRule just uses string and []string directly. And I feel like that's correct.)
pkg/apis/networking/types.go
Outdated
| // IpBlockRule describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed to the pods | ||
| // matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should | ||
| // not be included within this rule. | ||
| type IpBlockRule struct { |
There was a problem hiding this comment.
Capital P. IPBlockRule. Acronyms are always either all-caps or all-lowercase. (So IPBlockRule here and ipBlockRule in the JSON.)
pkg/apis/networking/types.go
Outdated
| // matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should | ||
| // not be included within this rule. | ||
| type IpBlockRule struct { | ||
| // CIDR is a string representing a Classless inter-domain route |
There was a problem hiding this comment.
We don't explain what "CIDR" stands for anywhere else, so I'd just say "is a string representing the IP block". (If you do want to expand the acronym, be consistent with the capitalization.)
pkg/apis/networking/types.go
Outdated
| // CIDR is a string representing a Classless inter-domain route | ||
| // Valid examples are "192.168.1.1/24" | ||
| CIDR string | ||
| // Except is a slice of CIDRs that should not be included within an IPBlock rule |
There was a problem hiding this comment.
There's inconsistency throughout about "IPBlockRule" vs "IPBlock"
There was a problem hiding this comment.
You're right. I have no idea why I came up with rule and it becomes terribly confusing. I switched the the networking.IPBlock to represent the type for a IPBlockSelector.
Should we continue to use something like ipBlock in the json or ipBlockSelector?
pkg/apis/networking/types.go
Outdated
|
|
||
| // IpBlockrule defines policy on a particular CIDR | ||
| // +optional | ||
| IpBlockRule *IpBlockRule |
There was a problem hiding this comment.
maybe call it IPBlockSelector or CIDRSelector for consistency with the other fields?
| func ValidateIpBlock(br *networking.IpBlockRule, fldPath *field.Path) field.ErrorList { | ||
| allErrs := field.ErrorList{} | ||
| if len(br.CIDR) == 0 { | ||
| allErrs = append(allErrs, field.Required(fldPath.Child("cidr"), "ibBlock rules must specify a CIDR")) |
There was a problem hiding this comment.
beyond the continued inconsistency about "ip block" vs "ip block rule", there's also a typo here ("ib")
| for i, exceptIP := range br.Except { | ||
| exceptPath := fldPath.Child("except").Index(i) | ||
| if exceptIP == "" || exceptIP == " " { | ||
| allErrs = append(allErrs, field.Invalid(exceptPath.Child("except"), exceptIP, "value cannot be an empty string")) |
There was a problem hiding this comment.
should call IsValidCIDR
| // Except is a slice of CIDRs that should not be included within an IPBlock rule | ||
| // Valid examples are "192.168.1.1/24" | ||
| // +optional | ||
| Except []string `json:"except,omitempty" protobuf:"bytes,2,opt,name=except"` |
There was a problem hiding this comment.
rep not opt in the protobuf spec (because it's an array)
k8s-github-robot
added
size/XXL
cmluciano
force-pushed
the
cml/addnpcidrselector
branch
from
800f481 to
107c56a
Compare
|
/retest |
|
@thockin Any ideas on why roundtrips fail only sometimes for me? I thought my fuzzer would help with this and I see the errors irregularly. I'm not sure if this is intentional or if my fuzzer/assumptions about compatibility are wrong. |
|
Talked with Stefan a bit about this. Since we still have v1beta1 I need to encode the new field in an annotation. Also we are still using v1beta1 as the default storage backend. #50604 is open for this. |
|
I'll review now. What is teh story with test fail? Do we understand it? ETA for fix? |
k8s-github-robot
added
size/L
| // CIDR is a string representing the IP Block | ||
| // Valid examples are "192.168.1.1/24" | ||
| CIDR string | ||
| // Except is a slice of CIDRs that should not be included within an IP Block |
There was a problem hiding this comment.
Comment (and validate) that the CIDRs in except must be subsets of cidr
pkg/apis/networking/types.go
Outdated
|
|
||
| // IPBlockSelector defines policy on a particular IPBlock | ||
| // +optional | ||
| IPBlockSelector *IPBlock |
There was a problem hiding this comment.
This should be IPBlock. It is not a Selector.
| func ValidateIPBlock(br *networking.IPBlock, fldPath *field.Path) field.ErrorList { | ||
| allErrs := field.ErrorList{} | ||
| if len(br.CIDR) == 0 { | ||
| allErrs = append(allErrs, field.Required(fldPath.Child("cidr"), "ipBlock must specify a CIDR")) |
There was a problem hiding this comment.
field.Required(fldPath.Child("cidr"), "") - the last error string is redundant here.
| allErrs = append(allErrs, field.Required(fldPath.Child("cidr"), "ipBlock must specify a CIDR")) | ||
| } | ||
| if !IsValidCIDR(br.CIDR) { | ||
| allErrs = append(allErrs, field.Invalid(fldPath.Child("cidr"), br.CIDR, "value is not a valid CIDR")) |
| for i, exceptIP := range br.Except { | ||
| exceptPath := fldPath.Child("except").Index(i) | ||
| if !IsValidCIDR(exceptIP) { | ||
| allErrs = append(allErrs, field.Invalid(exceptPath.Child("except"), exceptIP, "value cannot be an empty string")) |
There was a problem hiding this comment.
validate that it is "in" the main CIDR
| } | ||
|
|
||
| // IsValidCIDR validates whether a CIDR matches the conventions expected by net.ParseCIDR | ||
| func IsValidCIDR(cidr string) bool { |
There was a problem hiding this comment.
does this need to be exposed or could it be isValidCIDR ?
cmluciano
force-pushed
the
cml/addnpcidrselector
branch
from
107c56a to
a9528b6
Compare
|
ping me on slack when ready. I want to turn around PRs as fast as I can... |
cmluciano
force-pushed
the
cml/addnpcidrselector
branch
from
a9528b6 to
f89fd5a
Compare
cmluciano
changed the title
|
@thockin @caseydavenport @danwinship Ready for review |
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
cmluciano
force-pushed
the
cml/addnpcidrselector
branch
from
f89fd5a to
02735c3
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cmluciano, thockin Associated issue: 49978 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
| // matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should | ||
| // not be included within this rule. | ||
| type IPBlock struct { | ||
| // CIDR is a string representing the IP Block |
There was a problem hiding this comment.
Don't we usually avoid putting the field name into the description? For some doc generation reason I believe.
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue (batch tested with PRs 50033, 49988, 51132, 49674, 51207) |
|
@cmluciano: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
What this PR does / why we need it:
Add ipBlockRule to NetworkPolicyPeer.
Which issue this PR fixes
fixes #49978
Special notes for your reviewer:
Todo:
Release note: