Update ports to protocols #326
Conversation
✅ Deploy Preview for kubernetes-sigs-network-policy-api ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/XL
| // +kubebuilder:default=TCP | ||
| Protocol corev1.Protocol `json:"protocol,omitempty"` | ||
|
|
||
| // Specific port to match against. | ||
| // | ||
| // +optional | ||
| Port *ClusterNetworkPolicyPort `json:"port,omitempty"` |
There was a problem hiding this comment.
is Protocol defaulted if Port is nil? I'm confused on how this will work since Port is optional
There was a problem hiding this comment.
See CEL validation : TCP => need to set port.
There was a problem hiding this comment.
I'm assuming the order will be default and then validate, but have to check.
|
nice! instead of is there any special reason for it? I think we wanted to have new embedded fields for non-port-based protocols, like |
|
I was looking at some of the other Kubernetes APIs -- and this nesting seems to be more natural, as we are using the string prefix as a grouping instead of nesting, which is more explicit. From a future-proofing perspective and validation perspective, it feels like nesting might be the right choice: Here is what each variant would look like, it doesn't look that bad? I'm happy to change it to the other one -- maybe let's quickly discuss this in the meeting to see what others think. |
|
The goal from the KubeCon notes was "Make TCP and UDP easy to write and easy to read. Make ICMP and named ports possible." So protocols:
- port: 80is nice because it's very easy for the user. But as we also said in the KubeCon notes, it "[makes] the structs more complicated to make the YAML nicer", and it will make it really hard to understand the I feel like people use ports too much in NetworkPolicies anyway, so I don't really object to making them more annoying to use. 🙂 |
| // to TCP. | ||
| // | ||
| // +kubebuilder:default=TCP | ||
| Protocol corev1.Protocol `json:"protocol,omitempty"` |
There was a problem hiding this comment.
Hm... this preserves the existing "bug" where you can specify
protocols:
- protocol: TCP
port:
name: foo
where the "TCP" is either redundant or incorrect. Named ports should not have an explicitly-specified protocol.
There was a problem hiding this comment.
I think (!(has(self.Port) && has(self.Port.Name)) || self.Protocol == '') would cover this case?
There is a slight problem in that we can only generate this validation for experimental fields.
|
I can live with either or It's nice that the latter doesn't have several fields with same prefix, which would be a bit of a smell. But, it has the downside that it takes three lines of YAML to specify a single port instead of two. |
|
Did we decide that in the end, I know it's the case for NetPol but ISTR that we wanted explicit for A/CNP |
|
the notes from kubecon say
which I guess addresses my comment above about named ports too... (but the validation and defaulting in this patch need to be updated if that's what we're going with) |
|
Sounds like people are mostly ok with either choice, in which case, my recommendation is to go with the one proposed here and then people can play around with it to figure out if there is a significant drawback we haven't thought of? |
bowei
force-pushed
the
pr-port-to-protocol
branch
from
545253d to
25b0733
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: bowei The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
needs-rebase
Makes the `ports` clause a more generic `protocols` block to allow for
future expansion.
Example
```yaml
apiVersion: policy.networking.k8s.io/v1alpha2
kind: ClusterNetworkPolicy
metadata:
name: pub-svc-delegate-example
spec:
tier: Admin
priority: 20
subject:
namespaces: {}
egress:
- action: Pass
to:
- pods:
namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: bar-ns-1
podSelector:
matchLabels:
app: svc-pub
protocols: #<
- protocol: TCP #<
port: #<
number: 8080 #<
```
Another example:
```
protocols:
- protocol: TCP
port:
range:
start: 1000
end: 2000
- protocol: UDP
port:
number: 53
```
Ref: kubernetes-sigs#187
bowei
force-pushed
the
pr-port-to-protocol
branch
from
25b0733 to
10bc1ba
Compare
k8s-ci-robot
removed
the
needs-rebase
|
@bowei: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This change implements the update to the API: kubernetes-sigs/network-policy-api#326
7 participants
Makes the
portsclause a more genericprotocolsblock to allow for future expansion.Example
Another example:
Ref: #187