npep-285: Combine ANP and BANP

[npinaeva]

Current version doesn't suggest a specific API, but outlines different options. After this EP gets some feedback, it will be updated with the winning options.
tracking issue #285

[netlify]

✅ Deploy Preview for kubernetes-sigs-network-policy-api ready!

Name	Link
🔨 Latest commit	5a681de
🔍 Latest deploy log	https://app.netlify.com/projects/kubernetes-sigs-network-policy-api/deploys/683ef834122d650008ed0d42
😎 Deploy Preview	https://deploy-preview-289--kubernetes-sigs-network-policy-api.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[bowei]

Mostly discussion comments, general direction is +1 from me (less APIs that are almost 100% duplicated the better)

[bowei]

Should BANP Pass mean go to NP? But isn't BANP only active if there is no NP? It just sounds like Pass == Allow in behavior?

[npinaeva]

Pass generally means "go the next layer", so for ANP that goes to netpol, and for BANP that goes to the default-cluster-policy, which is allow

[danwinship]

"Pass" is currently documented as "skip any remaining ANP rules, and then pass execution to any NetworkPolicies that select the pod", and we generally describe its semantics as being to delegate from the admin to the end users.

But if we change "Pass" to mean "skip to the next tier", and then we add, say, a "HardTenancy" tier between the top tier and the NetworkPolicy tier, then Passing from the top tier would no longer "skip any remaining ANP rules and pass execution to NetworkPolicy". It would just skip from generic ANP rules to tenancy-specific ANP rules, which may or may not be what the admin wanted. (I'm sure we could come up with examples where it would do the right thing, and examples of where it would do the wrong thing.)

Also, I was thinking about the problem of protecting system namespaces from rogue ANPs that accidentally block access to critical components, and thought that perhaps would could add a "Provider" tier above the "Admin" tier, for distro/infra-provider rules (perhaps with a VAP to block new additions to that tier after cluster install time). But that wouldn't work, because the rule you want there is "for subject pods in system namespaces, Pass to the NetworkPolicy tier". But you wouldn't actually be able to Pass directly from the "Provider" tier to the "NetworkPolicy" tier, and "Pass"ing to the "Admin" tier is exactly what you don't want. (Of course, you could instead just have a preinstalled "tier: Admin" policy with priority 0 and a VAP to block other priority 0 policies, and then "Pass" would work. But this seems like the sort of problem that could apply to other potential future tiers.)

[npinaeva]

I have a slightly different understanding of the Pass action. I always imagined that having no ANP rules that match a connection should work exactly the same as Passing that connection to NP (aka just skip the current tier). In the current model ANP Pass can be interpreted as "delegate decision to the namespace owner" aka "I don't care what happens to this connection, you decide", which leads me to believe that this action can only be reasonably used as an exception (deny all, but pass all pod-to-pod)

If we add more tiers, I think allowing to skip the whole tier (e.g. with Pass always going to the NP level) makes this system more complicated, because then to make sure your tier rules are applied you need to check that a given connection is not skipped on the previous tier. I am also not sure I agree with the "rogue ANP" as a valid use case, because as a cluster admin I want to have control over my cluster connections, and letting provider override my rules makes this system less secure.

[fasaxc]

In the provider tier hypothetical, I think you'd just have to accept the important traffic in the provider tier rather than delegating? You lose a little fine grained control perhaps but "pass = go to next tier" is Calico's model and I don't think I've seen anyone find that limiting.

[bowei]

Although it sounds like the non-extensibility of NP API was not intended, so likely

1. NPv2 needs to happen
2. NPv2 will have FQDN (why not?)

[npinaeva]

that is certainly an option! in this context I am mostly trying to make sure ANP+BANP merge should not be a problem

[fasaxc]

I don't follow this; couldn't you have a BANP that had multiple rules:

• deny XYZ
• allow to foo.example.com
• deny to ABC
• allow to bar.example.com

[npinaeva]

Sure, you can. This part tries to address the original concern that a NetworkPolicy can't override allow to foo.example.com part of BANP, which it can, because an override will have to be "deny". So even if we ever implement allow DNSName peer in network policy, it has nothing to do with the ability to override BANP.

[fasaxc]

I think, if Pass is allowed, we could present it as there being a "final default-allow tier" that Pass jumps to. Then we're free to add more tiers after BANP in future and Pass will do the natural thing.

[danwinship]

Agree. We should allow Pass in BANPs. Maybe we should consider renaming it? (Skip? Return? Or maybe Pass is still the best option...)

[fasaxc]

Pass is my preferred option but mainly because it's consistent with Calico. We also considered calling that Skip and NextTier way-back-when. I think Skip is very similar to Pass in that you need to be told exactly what it does the first time? NextTier is explicit, which is nice.

[danwinship]

This feels artificial. I think it's more useful to just explain that lots of people have found the current API confusing.

[tssurya]

but I do want to note that in the past 3 years we have advertised ANP/BANP so much that ppl now remember the tiering system so there will also be some confusion once we introduce this change for a little while - at least for people who know the current API - but new users will be fine

[danwinship]

Suggested change

	- Add a new field `spec.tier` to distinguish ANP vs BANP. The values could be `Overrride` and `Baseline`.
	- Add a new field `spec.tier` to distinguish ANP vs BANP. The values could be `Override` and `Baseline`.

[danwinship]

Avoiding this is the reason we ended up with separate BANP in the first place. People felt like it made the semantics of Pass too confusing and too hard to explain. "Pass skips over all remaining ANPs with priority greater than 0, then checks NPs, then comes back and processes the rest of the ANPs with priority less than 0."

I think the "tier" system makes this much clearer: Pass ends processing of the current tier and moves to the next tier.

[danwinship]

"precedence" is no better if we are keeping the "lower number means more important" semantics. "Order" and "sequence" work.

[danwinship]

Should point out that there is no "deep" reason for this; it's just because, at the time, we didn't have user stories that would require more than one BANP, so we decided to initially only allow a single BANP, figuring that we could always relax that and allow multiple BANPs later if we found good use cases for it, whereas if we started off allowing multiple BANPs and then it turned out we had been right before and there really were no good use cases for it, it would be harder to retroactively restrict it, because even if there weren't good use cases for it, people would have come up with bad use cases and wouldn't want us to change it.

[danwinship]

Agree. We should allow Pass in BANPs. Maybe we should consider renaming it? (Skip? Return? Or maybe Pass is still the best option...)

[danwinship]

The line above what you quoted says "Currently only AdminNetworkPolicy is the intended scope for this proposal." (emphasis added). As I remember it, this was like the BANP singleton issue: we were not rejecting the idea of FQDNs in BANPs, we were just not allowing it now.

We could still have the rule that FQDNs are not allowed in tier: Baseline ANPs if we wanted.

[npinaeva]

yeah we can, but I think it makes sense to allow it and have more uniform ANP vs BANP experience

[fasaxc]

+1 for uniformity

[tssurya]

Is the code really complex? The fields in BANP are a subset of what we have for ANP

[npinaeva]

maintaining 2 copies of something is always harder and more error-prone. How much more complex - depends on the implementation, but there is no way to implement it with 0 overhead

[bowei]

This feels less like a user story and more as something as API authors that we are trying to avoid increasing the number of APIs that need to be learned and maintained (complexity argument).

[npinaeva]

I had an API maintainer user story separately, because 2 CRDs add overhead both for API maintainers and for API implementation devs. While we can ignore our "own" API maintainers problems, making implementors' lives easier sounds like a valid user story to me

[tssurya]

can we add the use case for wanting pass in BANP so that users know when that needs to be used?

[danwinship]

There's not particularly a use case for using Pass in tier: Baseline, given that it ends up meaning the same thing as Accept. It's more that it has a well-defined meaning ("skip the rest of the tier") and thus there's no good argument for restricting it.

EDIT: or maybe there's an argument for restricting Pass to mean only "pass from ANP to NetworkPolicy, regardless of what other tiers exist now or in the future"? #289 (comment)

[tssurya]

So I typed this comment during our discussion as to not forget to write it down on npep.. like what you said.. its being added not because of a particular usecase but because its harmless

[fasaxc]

Typo: potentiall

[fasaxc]

In the provider tier hypothetical, I think you'd just have to accept the important traffic in the provider tier rather than delegating? You lose a little fine grained control perhaps but "pass = go to next tier" is Calico's model and I don't think I've seen anyone find that limiting.

[fasaxc]

Pass is my preferred option but mainly because it's consistent with Calico. We also considered calling that Skip and NextTier way-back-when. I think Skip is very similar to Pass in that you need to be told exactly what it does the first time? NextTier is explicit, which is nice.

[fasaxc]

+1 for uniformity

[bowei]

My preference is that we get the big change in (remove BNP etc) and there will be multiple passes to fix up the comments etc. From the NPEP perspective, I don't see a huge amount that we can gain by trying to the refining here in this proposal npep-285

[bowei]

This feels less like a user story and more as something as API authors that we are trying to avoid increasing the number of APIs that need to be learned and maintained (complexity argument).

[bowei]

...specify the order of application based on some attribute other than the resource type.

[npinaeva]

do you mean something like integer tier values?

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bowei, npinaeva
Once this PR has been reviewed and has the lgtm label, please assign astoycos for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bowei]

/lgtm

As per my comment elsewhere -- I'm ok with moving ahead with the large changes and doing refining in the actual API changes themselves vs trying to do it in this proposal.

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: npinaeva / name: Nadia Pinaeva (5a681de)