Skip to content

policy: limit globally affecting egress networks to a single namespace #13246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zaharidichev merged 2 commits into from
Oct 31, 2024
Merged

policy: limit globally affecting egress networks to a single namespace #13246

zaharidichev merged 2 commits into from
Oct 31, 2024

Conversation

@zaharidichev
Copy link
Member

@zaharidichev zaharidichev commented Oct 30, 2024
edited
Loading

This change introduces an global_external_network_namespace argument to the policy controller and alters the semantics of EgressNetwork matching in a way that:

  • egress networks created in the global egress networks namespace will affect all client workloads in the cluster
  • egress networks in the same namespace as the client will always be preferred

Signed-off-by: Zahari Dichev [email protected]

@zaharidichev zaharidichev requested a review from a team as a code owner October 30, 2024 09:50
@zaharidichev zaharidichev changed the title limit globally affecting egress networks to a single namespace policy: limit globally affecting egress networks to a single namespace Oct 30, 2024
adleong
adleong approved these changes Oct 30, 2024
View reviewed changes
policy-controller/k8s/index/src/outbound/index/egress_network.rs Outdated
// Logic is:
// 1. if there are Egress networks in the source_namespace, only these are considered
// 2. otherwise only networks from the global egress network namespace are considered
// 2. the target IP is matched against the networks of the EgressNetwork
Copy link
Member

@adleong adleong Oct 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: fix numbering

policy-controller/k8s/index/src/outbound/index/egress_network.rs Outdated
pub(crate) fn resolve_egress_network<'n>(
addr: IpAddr,
source_namespace: String,
global_external_network_namespace: Arc<String>,
Copy link
Member

@adleong adleong Oct 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it simplify things to just take a &str here since we don't actually need to take ownership of the String?

@zaharidichev
feedback
7010e6b 
Signed-off-by: Zahari Dichev <[email protected]>
@zaharidichev zaharidichev merged commit 7bb867b into main Oct 31, 2024
42 checks passed
@zaharidichev zaharidichev deleted the zd/global-egress-nets branch October 31, 2024 08:37
@zaharidichev zaharidichev mentioned this pull request Oct 31, 2024
Merged
zaharidichev added a commit that referenced this pull request Nov 1, 2024
@zaharidichev
policy: Make global egress network namespace configurable (#13250)
4b10157 
In a previous PR (#13246) we introduced an egress networks namespace that is used to create `EgressNetwork` objects that affect all client workloads.

This change makes this namespace configurable through helm values. Additionally, we unify the naming convention of the arguments to use **egress** as opposed to **external**

Signed-off-by: Zahari Dichev <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adleong adleong adleong approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zaharidichev @adleong