otomi-core icon indicating copy to clipboard operation
otomi-core copied to clipboard

Published 20 hours ago verified publisher icon redkubes

Move network policies out of team service object

Open j-zimnowoda opened this issue 1 year ago • 4 comments

WHY

  1. Network policies are about workloads (Pods) not services
  2. Egress policies are namespace wide

User Story

AS A A team user I WANT TO to access team network policies from the left side menu AND and use Pod labels to assign the ingress Policies SO I can define them independently from workloads and services AND I can also allow traffic from namespaces that do not belong to any team

Acceptance criteria

GIVEN existing networkPolicy object in each team service WHENI upgrade Otomi to a new version THENAll the policies are migrate from <team>.services.[*].networkPolicy to <team>. networkPolicies[*]

GIVEN podSelector that is applicable only to the ingressPrivate (not to egressPublic) WHEN I upgrade Otomi to a new version THEN podSelector is migrated under the ingressPrivate property AND renamed to toLabel

GIVEN ingressPrivate property with team and service properties
WHEN I upgrade Otomi to a new version THEN team property is renamed to fromNamespace AND team property values prefixed with team- AND service property is renamed to fromLabel

GIVEN selfService.service.networkPolicy property within a team
WHEN I upgrade Otomi to a new version THEN networkPolicy property is moved under selfService.networkPolicy AND otomi-api leverage the new property to establish user permissions

Definition of done

  • [ ] Relevant PRs are merged
  • [ ] Tested by peer
  • [ ] Updated documentation reviewed by peer
  • [ ] Short demo video recorded and stored on google drive (if applicable)

j-zimnowoda avatar Jan 30 '24 16:01 j-zimnowoda

Hey team! Please add your planning poker estimate with Zenhub @Ani1357 @dennisvankekem @ElderMatt @ferruhcihan @merll

j-zimnowoda avatar Jan 30 '24 17:01 j-zimnowoda

example:

netpol:
   - type: ingressPrivate
     name: my-net
     toNamespace: team-a
     fromNamespace: team-b
     toLabel: 
      - a=b
     fromLabel: 
      - a=b
   - type: ingressPrivate
     name: my-net-2
     toNamespace: team-a
     fromNamespace: team-b
     toLabel: 
      - a=b
     fromLabel: 
      - a=b
   - type: egressExternal
     name: toGoogle
     domain: https://google.com

j-zimnowoda avatar Feb 05 '24 11:02 j-zimnowoda

@srodenhuis These are standard labels for regular helm chart

metadata:
  name: release-name-rabbitmq
  labels:
    helm.sh/chart: rabbitmq-0.1.0
    app.kubernetes.io/name: rabbitmq
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/version: "1.16.0"
    app.kubernetes.io/managed-by: Helm

By default the lableSelector is defined in the _helpers.tpl

      app.kubernetes.io/name: rabbitmq
      app.kubernetes.io/instance: release-name

It would mean that we may need two labels for podSelector in the NetworkPolicy However, Helm release names must be unique within a namespace. Thus network policies can rely on app.kubernetes.io/instance: release-name label.

What do you think?

j-zimnowoda avatar Feb 06 '24 11:02 j-zimnowoda

I am going to perform some tests and will update documentation about testing & troubleshooting netpols.

j-zimnowoda avatar Feb 27 '24 07:02 j-zimnowoda