Explicitly explain "fail closed".

[fasaxc]

Spell out the meaning of "fail closed" for the various rule actions. Tweak description to account for not all fields being pointers.

[k8s-ci-robot]

Welcome @fasaxc!

It looks like this is your first PR to kubernetes-sigs/network-policy-api 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/network-policy-api has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @fasaxc. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[netlify]

✅ Deploy Preview for kubernetes-sigs-network-policy-api ready!

Name	Link
🔨 Latest commit	6785c21
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-network-policy-api/deploys/672e2cde952f7a000881030b
😎 Deploy Preview	https://deploy-preview-252--kubernetes-sigs-network-policy-api.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[npinaeva]

/ok-to-test

[tssurya]

I am a bit confused by this comment, "unknown option"... do you mean other values outside of the 5 allowed peers? Should yaml creation fail ? or does it get ignored internall? could you please show an example of the fail scenario you mean?

[fasaxc]

My understanding is that we want to make sure that we guard against upgrading the CRD without upgrading the implementation. If you upgrade to a new CRD version and it has a new field in the struct, we want the old implementation to spot that the struct appears empty and then to infer that an unsupported field must be present.

That design decision was made before I joined the group; I'm not sure how realistic it is given that the implementations are bundling the CRDs (so as you say, CRD validation should kick in)? But it seemed to be a design goal for the struct.

[danwinship]

Hm... the thinking here was based on experience with NetworkPolicy where you have to deal with the possibility of the API and the implementation being out-of-sync.

It's possible that this doesn't really make sense in the ANP / CRD model...

[npinaeva]

I have done some research, and here is what I found:

The AdminNetworkPolicySubject and AdminNetworkPolicyPeer types are explicitly
 designed to allow for future extensibility with a focus on the addition of new types of 
selectors. Specifically it will allow for failing closed in the event an implementation does 
not implement a defined selector. For example, If a new type (ServiceAccounts) was 
added to the AdminNetworkPolicyPeer struct, and an implementation had not yet 
implemented support for such a selector, an ANP using the new selector would have no
 effect since the implementation would simply see an empty AdminNetworkPolicyPeer 
object.

https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/2091-admin-network-policy#general-notes-on-the-adminnetworkpolicy-api

I am not quite sure, if "ANP using the new selector would have no effect" actually means that "an empty AdminNetworkPolicyPeer" should have no effect. But I think "deny all" was not a part of the plan.

[danwinship]

But if a user tried to create an ANP with a ServiceAccounts selector against the current v1alpha1 CRD, it would fail, because CRD validation would not see that field in the object (since it's not part of the CRD), and so then the MinProperties=1 on AdminNetworkPolicyEgressPeer would be false.

The only way there could be a problem would be if the ANP implementation installed a version of the CRD that includes ServiceAccounts, but the ANP code hadn't been updated to know about it.

I guess perhaps this could happen though, if you had updated the CRDs because you wanted to implement a different new feature, but hadn't also implemented this new feature yet?

So in that case the advice is correct, but maybe confusingly worded. We should say something like "if an implementation does not implement all of the peer types in the version of the CRD that it installs, then it needs to fail closed when one of the unimplemented peer types is used".

[npinaeva]

what do you mean here by "fail closed"? I think we should not use this phrase as it is confusing.

[danwinship]

I mean, the new text Shaun already wrote. We would just be explaining better that that advice is only needed in the case where you have intentionally shipped a version of the CRD that contains features that you don't support.

[npinaeva]

we have discussed on the last sig meeting another potential solution: ignore "empty" rule OR the whole ANP and report an error condition in the status.
One concern about denying all for an unknown peer type, is that it may break important connections. Best case is just some crashlooping pods, worst case is the whole cluster will be dead if it denies e.g. kube-components ingress, like for apiserver.

[fasaxc]

I do think we need to do something to alert the user. Blocking traffic is extreme but it's the only tool we have until / unless we add a status or similar. I see this PR as just tidying up the wording that was already there (it already said "fail closed", I just wanted to make sure we wrote down the expectation).

Feels like adding a status would be a bigger change needing an NPEP.

[npinaeva]

agree, the only concern I have is that changing poorly defined "fail closed" to a well-defined status is less of a breaking changing than changing now (if this PR merges) well-defined "deny all" to some status in the future.

[danwinship]

I'm happy with the current wording here. We might want to explain the logic behind this in a little more detail somewhere, but the API documentation isn't really the right place for that.

/approve
anyone else want to lgtm?

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, fasaxc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [danwinship]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment