Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

policy: limit globally affecting egress networks to a single namespace #13246

Merged
merged 2 commits into from
Oct 31, 2024
Merged

policy: limit globally affecting egress networks to a single namespace #13246

merged 2 commits into from
Oct 31, 2024

Conversation

zaharidichev
Copy link
Member

@zaharidichev zaharidichev commented Oct 30, 2024
edited
Loading

This change introduces an global_external_network_namespace argument to the policy controller and alters the semantics of EgressNetwork matching in a way that:

  • egress networks created in the global egress networks namespace will affect all client workloads in the cluster
  • egress networks in the same namespace as the client will always be preferred

Signed-off-by: Zahari Dichev [email protected]

@zaharidichev zaharidichev requested a review from a team as a code owner October 30, 2024 09:50
@zaharidichev zaharidichev changed the title limit globally affecting egress networks to a single namespace policy: limit globally affecting egress networks to a single namespace Oct 30, 2024
adleong
adleong approved these changes Oct 30, 2024
View reviewed changes
policy-controller/k8s/index/src/outbound/index/egress_network.rs Outdated
@@ -61,14 +61,20 @@ impl EgressNetwork {
// Attempts to find the best matching network for a certain discovery look-up.
// Logic is:
// 1. if there are Egress networks in the source_namespace, only these are considered
// 2. otherwise only networks from the global egress network namespace are considered
// 2. the target IP is matched against the networks of the EgressNetwork
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: fix numbering

policy-controller/k8s/index/src/outbound/index/egress_network.rs Outdated
// 2. the target IP is matched against the networks of the EgressNetwork
// 3. ambiguity is resolved as by comparing the networks using compare_matched_egress_network
pub(crate) fn resolve_egress_network<'n>(
addr: IpAddr,
source_namespace: String,
global_external_network_namespace: Arc<String>,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it simplify things to just take a &str here since we don't actually need to take ownership of the String?

@zaharidichev
feedback
7010e6b 
Signed-off-by: Zahari Dichev <[email protected]>
@zaharidichev zaharidichev merged commit 7bb867b into main Oct 31, 2024
42 checks passed
@zaharidichev zaharidichev deleted the zd/global-egress-nets branch October 31, 2024 08:37
@zaharidichev zaharidichev mentioned this pull request Oct 31, 2024
Merged
zaharidichev added a commit that referenced this pull request Nov 1, 2024
@zaharidichev
policy: Make global egress network namespace configurable (#13250)
4b10157 
In a previous PR (#13246) we introduced an egress networks namespace that is used to create `EgressNetwork` objects that affect all client workloads.

This change makes this namespace configurable through helm values. Additionally, we unify the naming convention of the arguments to use **egress** as opposed to **external**

Signed-off-by: Zahari Dichev <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adleong adleong adleong approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zaharidichev @adleong