NPEP-230: Add dry-run mode. #276
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| # NPEP-95: NPEP template | ||
|
|
||
| * Issue: [#230](https://github.com/kubernetes-sigs/network-policy-api/issues/230) | ||
| * Status: Provisional | ||
|
|
||
| ## TLDR | ||
|
|
||
| Add dry-run mode for (B)ANP to allow "disabling" policies without deleting them. | ||
| This should allow implementations add extra audit/monitoring/logging capabilities on top of this feature. | ||
|
|
||
| ## Goals | ||
|
|
||
| A (B)ANP dry-run mode should not affect any connections, i.e. it should be treated as if did not exist. | ||
| Networking plugins can interpret the contents of the object to provide feedback (e.g. via logging or observability tools) | ||
| to see which connections will be dropped/allowed once this (B)ANP is enforced. | ||
|
|
||
| ## Non-Goals | ||
|
|
||
| Define exact logging/observability formats for network plugins. | ||
|
|
||
| ## Introduction | ||
|
|
||
| Users may want to ensure no unexpected connections will be denied by a new (B)ANP. | ||
| A dry-run mode should not affect any connections, and allow the networking plugin to provide feedback | ||
| (e.g. via logging or observability tools) to see which connections will be dropped/allowed once this (B)ANP is enforced. | ||
|
|
||
| ## User-Stories/Use-Cases | ||
|
|
||
| As a cluster admin, I am designing new ANPs for my cluster and want to make sure applying them won't | ||
| have any unexpected effects. To do so, I want to apply ANPs in a dry-run mode and get feedback from the network | ||
| plugin on which connections would be dropped/allowed. | ||
|
|
||
| As a cluster admin, I want to get feedback from the network plugin for currently allowed/denied connections | ||
| with (B)ANP. | ||
| This one needs more discussion as it is already do-able with extra labels/annotations, because adding | ||
| logging/audit/observability while enforcing (B)ANP is a side effect and doesn't break (B)ANP semantics. | ||
| But since we are considering adding a new flag, it may be useful to add this option with vague description, like | ||
| "Enables logging/audit/observability as defined by the networking plugin. May also have no effect is the plugin doesn't support it." | ||
|
|
||
| ### Dry-run for changing an existing (B)ANP | ||
|
|
||
| Calico's StagedPolicy allows analyzing the effect of changing an existing policy. That approach requires a new CRD (StagedPolicy), | ||
| that is an exact copy of the original policy, then you can create a StagedPolicy with the same name as an already existing policy, | ||
| and that would meat that you intend to replace the existing policy with the staged one. | ||
|
|
||
| Besides a new CRD, this approach also requires some extra simulation logic, because existing policy should be applied on | ||
| one hand, and be replaced in the simulation on the other hand. | ||
|
|
||
| Simulating the (B)ANP change is possible with the simple dry-run mode, but it requires creating a new (B)ANP representing | ||
| the "diff" between existing and a new policy config. This approach is less user-friendly though. | ||
|
|
||
| ## API | ||
|
|
||
| (... details, can point to PR with changes) | ||
|
|
||
| ## Conformance Details | ||
|
|
||
| (This section describes the names to be used for the feature or | ||
| features in conformance tests and profiles. | ||
|
|
||
| These should be `CamelCase` names that specify the feature as | ||
| precisely as possible, and are particularly important for | ||
| Extended features, since they may be surfaced to users.) | ||
|
|
||
| ## Alternatives | ||
|
|
||
| - Use Policy Assistant https://github.com/kubernetes-sigs/network-policy-api/issues/221, may have some limitations. Needs additional discussion. | ||
| - Leave it to be implementation-specific. This required a copy of ANP CRD that changes behaviour (doesn't really apply) with dry-run flag. | ||
|
|
||
| ## References | ||
|
|
||
| Similar features: | ||
| - calico: https://docs.tigera.io/calico-cloud/network-policy/staged-network-policies | ||
|
There was a problem hiding this comment. I talked to the folks that designed Calico's staged policy and I asked why we added a second resource type That's not quite the same as creating a second policy at the same order with a different name; it wouldn't be clear if the user is asking us to simulate both policies being present or only the new one. There was a problem hiding this comment. I think this is a valuable use case, added a section about this to NPEP. |
||
| - cilium Issue: https://github.com/cilium/cilium/issues/9580 | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this not also a proposal for NetworkPolicy itself?