Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update NetworkPolicy docs for v1 #4003

Merged
merged 1 commit into from
Jun 7, 2017
Merged

Update NetworkPolicy docs for v1 #4003

merged 1 commit into from
Jun 7, 2017

Conversation

danwinship
Copy link
Contributor

@danwinship danwinship commented Jun 6, 2017
edited by k8s-reviewable
Loading

Fixes #3934

@caseydavenport ok?

For 1.7 Features: set Milestone to 1.7 and Base Branch to release-1.7

I can't set the milestone...

This change is Reviewable

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 6, 2017
@chenopis chenopis added this to the 1.7 milestone Jun 6, 2017
@chenopis chenopis self-assigned this Jun 6, 2017
@chenopis chenopis requested a review from caseydavenport June 6, 2017 16:43
@caseydavenport
Copy link
Member

This LGTM.

@danwinship what do you think about a section which mentions how to maintain v1beta1 semantics across upgrades?

@danwinship
Copy link
Contributor Author

I'd be fine with that although I'm not sure where upgrade-related stuff belongs in the fancy new docs organization... It's covered in the release notes already:

NetworkPolicy has been moved from `extensions/v1beta1` to the new
`networking.k8s.io/v1` API group. The structure remains unchanged from
the beta1 API.

The `net.beta.kubernetes.io/network-policy` annotation on Namespaces
to opt in to isolation has been removed. Instead, isolation is now
determined at a per-pod level, with pods being isolated if there is
any NetworkPolicy whose spec.podSelector targets them. Pods that are
targeted by NetworkPolicies accept traffic that is accepted by any of
the NetworkPolicies (and nothing else), and pods that are not targeted
by any NetworkPolicy accept all traffic by default.

Action Required:

When upgrading to Kubernetes 1.7 (and a network plugin that supports
the new NetworkPolicy v1 semantics), to ensure full behavioral
compatibility with v1beta1:

    1. In Namespaces that previously had the "DefaultDeny" annotation,
       you can create equivalent v1 semantics by creating a
       NetworkPolicy that matches all pods but does not allow any
       traffic:

           kind: NetworkPolicy
           apiVersion: networking.k8s.io/v1
           metadata:
             name: default-deny
           spec:
             podSelector:

       This will ensure that pods that aren't matched by any other
       NetworkPolicy will continue to be fully-isolated, as they were
       before.

    2. In Namespaces that previously did not have the "DefaultDeny"
       annotation, you should delete any existing NetworkPolicy
       objects. These would have had no effect before, but with v1
       semantics they might cause some traffic to be blocked that you
       didn't intend to be blocked.

@chenopis
Copy link
Contributor

chenopis commented Jun 6, 2017
edited
Loading

How to maintain v1beta1 semantics across upgrades could be a Task. Do you want to cover that in a separate PR so I can merge this one?

@caseydavenport caseydavenport mentioned this pull request Jun 6, 2017
Closed
23 tasks
@chenopis chenopis merged commit 4b6b970 into kubernetes:release-1.7 Jun 7, 2017
@feiskyer feiskyer mentioned this pull request Jun 13, 2017
Closed
@zacharysarah zacharysarah mentioned this pull request Jul 21, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@caseydavenport caseydavenport caseydavenport approved these changes

Assignees

@chenopis chenopis

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA.
Projects
None yet
Milestone
1.7
Development

Successfully merging this pull request may close these issues.
4 participants
@danwinship @caseydavenport @chenopis @k8s-ci-robot