Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ENHANCEMENT] Use Cases for wanting Egress CIDR Peers as an external object #182

Open
tssurya opened this issue Dec 5, 2023 · 5 comments · May be fixed by #183
Open

[ENHANCEMENT] Use Cases for wanting Egress CIDR Peers as an external object #182

tssurya opened this issue Dec 5, 2023 · 5 comments · May be fixed by #183
Assignees
@tssurya

Comments

@tssurya
Copy link
Contributor

tssurya commented Dec 5, 2023

Is your enhancement request related to a problem? Please describe.

Use case by @joestringer

As a cluster administrator I want to to ensure that pods can reach commonly-used databases under my control but outside Kubernetes. Many but not all applications in my environment rely on these databases. I want to delegate writing network policy for this traffic to namespace owners.
Example: As a cluster administrator I define a CIDR group that defines a set of RDS instances that is used across multiple apps. The owners of namespaceA and namespaceB can then define policies that allow traffic to this group of RDS instances, and they reference the instances by CIDR group. As a cluster administrator I can migrate the database infrastructure and update the CIDR group independently of the namespace owners. The applications in namespaceC do not use this infrastructure, so the cluster administrator and the owners of namespaceC do not need to think about network policy for apps in namespaceC.

#144 (comment)

@networkop also mentions

Another use case could be a cluster controller that watches external resources (e.g. via cloud API or BGP) and updates the CIDR object with the changes. In this case, the controller only needs enough RBAC rules to update CIDR object and would not need touch the ANP itself

Describe the solution you'd like
Have CIDR peers as an external object (in addition to the default inlined one #144 is proposing?) Makes it more extendable.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
See #144 (comment) for details
@tssurya tssurya mentioned this issue Dec 5, 2023
Merged
@tssurya
Copy link
Contributor Author

tssurya commented Dec 7, 2023

/assign @tssurya

@tssurya
Copy link
Contributor Author

tssurya commented Dec 7, 2023

I think we are getting some solid use cases for this. I will open a new NPEP as discussed in previous net pol meeting to take this forward.

@tssurya tssurya linked a pull request Dec 7, 2023 that will close this issue
Open
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 6, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Apr 5, 2024
@tssurya
Copy link
Contributor Author

tssurya commented Apr 5, 2024

/remove-lifecycle rotten
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Apr 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tssurya tssurya

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add NPEP for new CIDRGroup object peer tssurya/network-policy-api
3 participants
@tssurya @k8s-ci-robot @k8s-triage-robot