Add support for K8s network policies
The purpose of this blueprint is to add Kubernetes Network Policy support to kuryr-kubernetes
Blueprint information
- Status:
- Complete
- Approver:
- Irena Berezovsky
- Priority:
- High
- Drafter:
- Irena Berezovsky
- Direction:
- Needs approval
- Assignee:
- Daniel Mellado
- Definition:
- Approved
- Series goal:
- Accepted for trunk
- Implementation:
-
Implemented
- Milestone target:
- None
- Started by
- Irena Berezovsky
- Completed by
- Michal Dulko
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Kubernetes Network Policy support Spec
Gerrit topic: https:/
Addressed by: https:/
[WIP] Translate k8s policy to SG
Addressed by: https:/
[WIP] Create network policy handler and driver
Addressed by: https:/
[WIP] DisposableWatch for k8s client
Addressed by: https:/
[WIP] Annotate pods that selected by k8s label-selector
Addressed by: https:/
[WIP] Add policy security-groups driver
Addressed by: https:/
Create network policy handler and driver
Addressed by: https:/
(WIP) Implement Network Policies Driver
Gerrit topic: https:/
Addressed by: https:/
[WIP] Support network policy update
Addressed by: https:/
[WIP] Add security groups driver for NP
Gerrit topic: https:/
Addressed by: https:/
Ensure namespace and network policy compatibility
Addressed by: https:/
Ensure namespace and network policy compatibility
Addressed by: https:/
[WIP] Ensure existing pods use the right network policy
Addressed by: https:/
Remove np spec from kuryrnetworkpolicy annotations
Addressed by: https:/
Adds CRDs readiness checks to Kuryr-Controller
Addressed by: https:/
Ensure pod relabeling is supported by the Network Policy
Addressed by: https:/
Add namespaceSelector support for NetworkPolicies
Addressed by: https:/
[WIP] Add support for matchExpressions
Gerrit topic: https:/
Gerrit topic: https:/
Addressed by: https:/
Fix labels encode
Addressed by: https:/
Add support for podSelector
Gerrit topic: https:/
Addressed by: https:/
Ensure pod_label handler skips host_network pods
Gerrit topic: https:/
Gerrit topic: https:/
Addressed by: https:/
Ensure kubelet pod has default connectivity with Network Policies
Addressed by: https:/
Ensure network policies are not applied on pod with host networking
Addressed by: https:/
[wip] Update CRD when NP has podSelectors
Gerrit topic: https:/
Addressed by: https:/
Avoid raising ResourceNotReady exception at pod label handler
Gerrit topic: https:/
Addressed by: https:/
Handle loadbalancer SGs are created when sg_mode is create
Addressed by: https:/
[WIP] Add Network Policy support to services
Addressed by: https:/
[WIP] Update CRD when NP has namespaceSelectors
Gerrit topic: https:/
Addressed by: https:/
Fix NP creation when it has namespaceSelector
Addressed by: https:/
Ensure reaction to svc target-port update
Addressed by: https:/
[wip] Ensure NP changes are applied to services
Addressed by: https:/
Ensure lb sg rules are not deleted when adding members
Addressed by: https:/
Revert "Ensure reaction to svc target-port update"
Gerrit topic: https:/
Addressed by: https:/
Fix CRD update when NP has namespaceSelectors
Gerrit topic: https:/
Addressed by: https:/
Ensure host to pod connectivity for NP
Addressed by: https:/
Pools support with Network Policies
Gerrit topic: https:/
Addressed by: https:/
Add ipBlock support to NP
Gerrit topic: https:/
Addressed by: https:/
Ensure NP Security Group is update on pod events
Addressed by: https:/
Add ipBlock support to NP
Work Items
Work items:
Network policy spec (https:/
Network-policy driver - Translate k8s-policy to neutron-SG (https:/
Network-policy driver - Annotate the pod with security-group-id(https:/
Network-policy driver - Attach allowed ingress and egress pods to the remote SG : (https:/
Create Network-policy handler(https:/
Create network policy pods security-group driver(https:/
Handle Controller restart: TODO
Handle port pool changes: TODO
Create tempest test: TODO