API docs: clarify ICMP related. #364
+78
−61
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -188,11 +188,11 @@ type ClusterNetworkPolicyIngressRule struct { | |
| Name string `json:"name,omitempty"` | ||
|
|
||
| // Action specifies the effect this rule will have on matching | ||
| // traffic. Currently, the following actions are supported: | ||
| // | ||
| // - Accept: Accepts the selected traffic, including replies to that | ||
| // traffic and related ICMP traffic. No further ingress | ||
| // ClusterNetworkPolicy or NetworkPolicy rules will be processed. | ||
| // | ||
| // Note: while Accept ensures traffic is accepted by | ||
| // Kubernetes network policy, it is still possible that the | ||
|
|
@@ -245,15 +245,15 @@ type ClusterNetworkPolicyEgressRule struct { | |
| Name string `json:"name,omitempty"` | ||
|
|
||
| // Action specifies the effect this rule will have on matching | ||
| // traffic. Currently, the following actions are supported: | ||
| // | ||
| // - Accept: Accepts the selected traffic, including replies to that | ||
| // traffic and related ICMP traffic. No further egress | ||
| // ClusterNetworkPolicy or NetworkPolicy rules will be processed | ||
| // but any ingress rules at the destination do apply. | ||
| // | ||
| // - Deny: Drops the selected traffic. No further ClusterNetworkPolicy or | ||
|
Contributor
There was a problem hiding this comment. I recently learnt that networkpolicies when created mid way do expect to effect existing connections? so for both DENY and PASS it actually does include ICMP related as well for that connection?
Contributor
There was a problem hiding this comment. For |
||
| // NetworkPolicy rules will be processed. | ||
| // | ||
| // - Pass: Skips all further ClusterNetworkPolicy rules in the | ||
| // current tier for the selected traffic, and passes | ||
|
|
@@ -288,20 +288,16 @@ type ClusterNetworkPolicyEgressRule struct { | |
| type ClusterNetworkPolicyRuleAction string | ||
|
|
||
| const ( | ||
| // ClusterNetworkPolicyRuleActionAccept stops further rule processing of | ||
|
Contributor
There was a problem hiding this comment. hmm interesting..I am trying to find the nuance/motivation behind the change here and for the other actions..
Contributor
Author
There was a problem hiding this comment. Traffic from pod A to pod B goes through pod A's egress rules and pod B's ingress rules. The change was intended to hint that pod A's "egress accept" may still get blocked by pod B's ingress rules. TBH I started just trying to make the language more direct. "stops and accepts" instead of "indicates that ..." |
||
| // this policy direction (Ingress/Egress) and accepts the traffic. | ||
| ClusterNetworkPolicyRuleActionAccept ClusterNetworkPolicyRuleAction = "Accept" | ||
| // ClusterNetworkPolicyRuleActionDeny stops further rule processing and | ||
| // drops the traffic. | ||
| ClusterNetworkPolicyRuleActionDeny ClusterNetworkPolicyRuleAction = "Deny" | ||
| // ClusterNetworkPolicyRuleActionPass skips rules with lower precedence in | ||
| // the current tier and continues processing in the next tier. For example, | ||
| // if an Admin tier CNP uses Pass action, NetworkPolicy evaluation will | ||
| // happen next. | ||
| ClusterNetworkPolicyRuleActionPass ClusterNetworkPolicyRuleAction = "Pass" | ||
| ) | ||
|
|
||
|
|
@@ -380,6 +376,11 @@ type ClusterNetworkPolicyEgressPeer struct { | |
| // or deny all IPv4 pod-to-pod traffic as well. If you don't want that, | ||
| // add a rule that Passes all pod traffic before the Networks rule. | ||
| // | ||
| // Networks matches both regular IP traffic and ICMP traffic to/from | ||
| // the specified CIDRs. For example, a Networks entry of "0.0.0.0/0" | ||
| // will match both IPv4 and ICMP traffic, while "::/0" will match | ||
| // both IPv6 and ICMPv6 traffic. | ||
| // | ||
| // Each item in Networks should be provided in the CIDR format and should be | ||
| // IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". | ||
| // | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We spoke a bit about this during AMS KubeCon,
but a note for future that since we have made this explicit we do need to consider this while designing the ICMP protocol match whether ICMP protocol match will also allow related or if its purely restricted to specific independent types and codes.
just highlighting it for history (no action required from this comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's some trickiness here, but I would hope that conntrack deals with it all for us.
If you allow ICMP pings, you would also have implicitly be allowing the replies to that ping, just like in the IP case.