Are we declaring the beta?

@thockin @danwinship @caseydavenport

I've been pondering a bit more on the "how to enable default deny" case. From the Group posting we landed on:

We could add a "policyTypes" field indicating what kinds of traffic the 
policy affects. And if it's unspecified, it would get defaulted to: 

  - [ "ingress", "egress" ] if the policy has both ingress: and egress: 
    sections 

  - [ "egress" ] if the policy has an egress: section but no ingress: 
    section 

  - [ "ingress"] if the policy has an ingress: section but no egress: 
    section, or, for backward compatibility, if it has neither 
    ingress: nor egress:. 

Instead of adding something to NetworkPolicySpec, should we augment the Egress rule with a field that resembles the default? Then we can consider deprecating the current Ingress defaults over a few releases in favor of a similar change.

Ex:

// NetworkPolicyEgressRule describes a particular set of traffic that pods can egress to
// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
type NetworkPolicyEgressRule struct {
	// List of destination ports for outgoing traffic.
	//Each item in this list is combined using a logical OR. If this field is
	// empty or missing, this rule matches all ports (traffic not restricted by port).
	// If this field is present and contains at least one item, then this rule does note
	// constrain outgoing traffic.
	// +optional
	Ports []NetworkPolicyPort

	// List of sources for outgoing traffic of pods selected for this rule.
	// Items in this list are combined using a logical OR operation. If this field is
	// empty or missing, this rule matches all sources (traffic not restricted by
	// source). If this field is present and contains at least on item, this rule
	// allows traffic only if the traffic matches at least one item in the from list.
	// +optional
	To []NetworkPolicyPeer

        // This is the default EgressRule applied to pods across a cluster.
        // Options are Permit or Prohibit
        // +optional
        DefaultPolicy: 
}

We can't have "DefaultPolicy" in NetworkPolicyEgressRule, because what if there were two rules with opposite default policies?

But maybe there could be something like a "Nothing" option in NetworkPolicyEgressRule/NetworkPolicyIngressRule so you can explicitly write a rule that doesn't match anything:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-egress
spec:
  podSelector:
  egress:
  - to:
    - nothing:

and that combines fine with other policies without contradiction.

Although "Nothing" probably isn't the right name, and it can't be just an empty field because that would get lost in serialization.

/retest

I like the option of adding to the Peer group, however I'm also lost on what to name it.

Is there a design/proposal doc for egress rules in networkpolicy? Or is the comment #51351 (comment) sufficient enough to capture the gist of this work?

@ahmetb The summary of proposals is in a google doc.

SIG-Network Mailing List Post: egress network policy requirements

So actually, wait, the problem is not "how to enable default deny", it's "how to not (accidentally) enable default deny". We told people to use a policy like this for ingress default-deny in 1.7:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
spec:
  podSelector:

But that will now implicitly have an empty egress rule array. So the solution has to be that, at least in some cases, an empty/non-existent egress section does not mean "deny all egress".

My suggestion had been to fix that by adding a way to specify that egress is ignored for a given policy (and make that the default behavior for existing policies).

I guess the other way would be to say that empty/non-existent egress never means "deny all egress", it means "allow all egress" (and you have to include an explicit don't-allow-anything NetworkPolicyEgressRule if you want to deny-all). But that's pretty egregiously different from ingress behavior.

I'm fine with the PolicyType field for now if we want to maintain the Ingress behavior. I figured it was worth bringing up since the Default code that I started writing looked messy due to all of the edge-cases.

This egress policy is enforced on connections made from the pod but what about on reply packets?

Example:

• an ingress policy for app=database to receive requests from app=frontend
• an egress policy for app=database that is only allowed to send traffic to the app=backup

Based on the egress policy installed, can app=database reply to app=frontend?

We can't really deprecate the ingress defaults until we rev the API to v2{alpha,beta,}. It is part of the API semantic. Unfortunately, lack of ingress means no ingress, but we don't want lack of egress to mean no egress (that would be a breaking change). We should have demanded ingress be specified to mean "no ingress". We botched that. The policyTypes field is the remedy.

We might be able to slightly rectify the situation, though. I'm going to think out loud:

We have IPBlock now, which can unambiguously indicate "nothing" as 0.0.0.0/32 What if we:

1. change the defaulting logic for NetworkPolicySpec to something like:

if len(spec.Ingress) == 0 {
  nothing := new(IPBlock)
  nothing.CIDR = "0.0.0.0/32"
  spec.Ingress = []NetworkPolicyIngressRule{{From: []NetworkPolicyPeer{{IPBlock: nothing}}}}
}

2. add egress, demand that "deny all" specify to: { ipblock: { cidr: "0.0.0.0/32" }}

3. change the above default logic to if len(spec.Ingress) + len(spec.Egress) == 0 {

If user specifies nothing, they get the default (no ingress).

If the user specifies ingress but not egress, they get their ingress rules

If the user specifies egress but not ingress, they get their egress rules

If the use specifies ingress and egress, they get their ingress and egress rules

The only thing that is irregular is the defaulting logic. Does this break anything? I am trying to work through it. If a user creates this on v1.8, then rolls back to v1.7, the ipBlock will get dropped, leaving an empty from which fails validation. Damn. We could change the validation in v1.8 and do the above in v1.9.

Starting over:

We could just leave the empty ingress to be irregular. Can we only make it irregular iff egress is not specified?

If the user specifies nothing, they get today's behavior (no ingress).

If the user specifies ingress but not egress, they get their ingress rules

If the user specifies egress but not ingress, they get their egress rules and ingress is unaffected

If the use specifies ingress and egress, they get their ingress and egress rules

Would this break anything? If a user had an empty NetworkPolicy object, and they add egress to it, it would stop being a no-ingress rule. That's bad.

Starting over:

What if we change the defaulting for NetworkPolicyPeer and allow all-nil to mean "none". That would be a breaking change upon rollback.

Starting over:

We're stuck. We can't even do what Dan suggested. I think we have to respect that any NP object that has no ingress block means "default-deny ingress". That means the policyTypes list has to always default to containing "Ingress". The only way it can not affect ingress is if the user specifies just "Egress".

Someone check my math or convince me I am wrong?

This egress policy is enforced on connections made from the pod but what about on reply packets?

Reply packets are always allowed, just like with ingress policy. (ie, if you have an ingress policy for app=database to receive requests from app=frontend, then that also allows replies from the database pod to the frontend pod, even though it doesn't allow the database pod to initiate connections to the frontend pod.)

We're stuck. We can't even do what Dan suggested. I think we have to respect that any NP object that has no ingress block means "default-deny ingress". That means the policyTypes list has to always default to containing "Ingress". The only way it can not affect ingress is if the user specifies just "Egress".

Someone check my math or convince me I am wrong?

Didn't you just contradict yourself? "any NP object that has no ingress block means 'default-deny ingress'" vs "The only way it can not affect ingress is if the user specifies just 'Egress'" ?

So like:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
spec:
  policyTypes: [ "Egress" ]
  egress:

Does that default-deny ingress or not?

If the concern is only with rollback, then it seems a little weird to worry about the ingress behavior of that policy after rolling back from 1.8 to 1.7, since regardless of the interpretation of ingress, the policy as a whole is guaranteed to not have the behavior the user wanted anyway...

If we need to make it possible to roll back and not have egress-only policies turn into deny-ingress policies then I guess the only way we can do that is to say that there's no such thing as an egress-only policy. So the fully foward-and-backward-compatible rule would be:

• Any pod that is selected by any NetworkPolicy is deny-ingress, and only allows incoming connections that match the ingress clause of some NetworkPolicy that selects it. (Unchanged from 1.7; for rollback compatibility we have to ensure that any policy in 1.8 still has the same ingress semantics it would have had in 1.7 if you remove any new fields.)

• Any pod that is selected by a NetworkPolicy that contains an egress clause is deny-egress, and only allows outgoing connections that match the egress clause of some NetworkPolicy that selects it. (For forward compatibility with existing 1.7 policies, we can't have egress be affected by policies that don't explicitly mention egress.)

• To make an egress default-deny policy, you can do:

  kind: NetworkPolicy
  apiVersion: networking.k8s.io/v1
  spec:
    podSelector:
    egress:
    - ipBlock:
        cidr: 0.0.0.0/0
  

  except that that's also a default-deny ingress policy too; there's no way to write a policy that just denies egress without affecting ingress. Which is terrible.

Actually, there's another way around the problem, which is if we say that podSelector only describes the pods affected by the ingress clause, and have a separate egressPodSelector to describe the pods that are affected by the egress section of the policy. And then you could write:

spec:
    egressPodSelector:
      matchLabels:
        app: frontend
    egress:    # empty == denied
    podSelector:
      matchLabels:
        asdfasdfasdfa: asdfasdfasdfasdfasdfas

or if you want to be more paranoid/explicit:

    podSelector:
      matchExpressions:
      - { key: dummy, operator: Exists }
      - { key: dummy, operator: NotExists }

either of which is also terrible, but maybe someone can come up with a less terrible version? (Or maybe we just let v1 be terrible but plan to move to a less-terrible v2 soon?)

@danwinship @thockin @caseydavenport Take a look at f058d5d . The tests will probably fail since I have not added this to v1beta1, but I wanted to see if this behavior works.

Didn't you just contradict yourself? "any NP object that has no ingress block means 'default-deny ingress'" vs "The only way it can not affect ingress is if the user specifies just 'Egress'" ?

I don't think so. I just wasn't clear. If policyTypes is explicitly [ "Egress" ] and nothing else, then the ingress block has no effect. If the policyTypes field is not specified, it MUST be defaulted to at least [ "Ingress" ], though I think it is safe to detect non-empty egress block and add "Egress" to policyTypes.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
spec:
  policyTypes: [ "Egress" ]
  egress:

Does that default-deny ingress or not?

It would have no effect on Ingress. But you're right - upon a rollback, this breaks the cluster. Both policyTypes and egress would be ignored in 1.7, converting it to a default-deny ingress rule.

for rollback compatibility we have to ensure that any policy in 1.8 still has the same ingress semantics it would have had in 1.7 if you remove any new fields.

This is something I think I never really considered about one-of blocks. You can't add a new option and then allow rollbacks. Any IPBlock user who rolls back to 1.7 will be left with an object that fails validation. The NetworkPolicy "foobar2" is invalid: spec.ingress[0].from[0]: Required value: must specify a from type. We've already introduced a breaking change by adding IPBlock at all.

I need to think about how we do this elsewhere. It may be that we're setting the bar too high here.

@thockin @danwinship @caseydavenport

This should pass all tests now.

TODO:

• Need to validate empty policyTypes
• Duplicate types
• Refactor validation pieces (split out ports)

Can we have these as TODOs post-freeze?

I suspect we can make the validation tweaks post-freeze if we really need to.

I'd like to get a conclusion on this comment though: https://github.com/kubernetes/kubernetes/pull/51351/files#r136650232

@thockin @danwinship

/lgtm
/approve

http://gph.is/1y9uxL8

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

Since I needed to rebase and fix some golint stuff, I added the comment and validation suggestions as well. Will need another LGTM

/test pull-kubernetes-unit

/lgtm

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cmluciano, thockin

Associated issue: 50453

The full list of commands accepted by this bot can be found here.

/test pull-kubernetes-e2e-kops-aws

@cmluciano: The following test failed, say /retest to rerun them all:

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Automatic merge from submit-queue (batch tested with PRs 51984, 51351, 51873, 51795, 51634)