network-policy-api icon indicating copy to clipboard operation
network-policy-api copied to clipboard
verified publisher icon kubernetes-sigs

[ENHANCEMENT] Combine ANP/BANP into one CRD

Open fasaxc opened this issue 10 months ago • 6 comments

Is your enhancement request related to a problem? Please describe.

This came up in the API review with @thockin. He suggested we look again at that split and consider how the API might evolve; in particular, what if we remove the singleton aspect from BANP and it ends up the same as ANP (with only tiny gotcha-level differences).

Describe the solution you'd like

Represent ANP and BANP with one CRD type and represent the difference using some other primitive.

My favoured approach would be to add a tier field to the combined ANP type that can be set to <value that makes it an ANP> <value that makes it a BANP>. This has the advantage that it's extensible to new "tiers" later.

TBD: do we immediately remove the BANP singleton restriction and add priority, or do we defer that (validate against it?)

Describe alternatives you've considered

On the call we discussed alternatives:

  • Tier field.
  • Negative priority for ANP, positive for BANP.

Additional context

Calico already has the concept of tiered policy; it is the feature that we use to implement ANP and BANP internally so there's precedent for the name and the feature has been popular with our enterprise users. Calico allows user defined tiers, which may be something to consider for the future, but I think we can extend in that way later if required.

fasaxc avatar Feb 12 '25 15:02 fasaxc

Probably needs a full NPEP!

fasaxc avatar Feb 12 '25 15:02 fasaxc

/assign

npinaeva avatar Apr 22 '25 15:04 npinaeva

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jul 21 '25 15:07 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Aug 20 '25 16:08 k8s-triage-robot

/remove-lifecycle rotten

npinaeva avatar Aug 27 '25 09:08 npinaeva

/lifecycle freeze

npinaeva avatar Aug 27 '25 09:08 npinaeva