Skip to content

Update NPEP-133 with Admin-tier restriction and DNS security guidance#366

Open
tssurya wants to merge 1 commit into
kubernetes-sigs:mainfrom
tssurya:fqdn-field-description-update
Open

Update NPEP-133 with Admin-tier restriction and DNS security guidance#366
tssurya wants to merge 1 commit into
kubernetes-sigs:mainfrom
tssurya:fqdn-field-description-update

Conversation

@tssurya
Copy link
Copy Markdown
Contributor

@tssurya tssurya commented Apr 5, 2026
edited
Loading

The PR updates the details around domainNames
as discussed in KubeCon Atlanta:
https://docs.google.com/document/d/1AtWQy2fNa4qXRag9cCp5_HsefD7bxKe3ea2RPn8jnSs/edit?tab=t.k47ujuef4zxk#bookmark=id.hl0pbdvwfotd

  • Restrict domainNames to Admin tier only with CEL validation (Baseline tier breaks the NetworkPolicy override model)
  • Add CEL validation for Accept-only action restriction
  • Update API examples to v1alpha2 ClusterNetworkPolicy format
  • Add Expected Behavior points for DNS reachability and resolv.conf
  • Add Recommended Behavior section covering DNS security concerns, grace period, and DNSSEC best practice
  • Add Connection Lifecycle section for policy add/remove semantics

NOTE to reviewers:

  • I didn't update the field description because I wasn't sure what all is worth capturing in the field v/s not, so happy to change that aspect during reviews
  • * can mean one or more labels and that's what is present in current OKEP as well

@netlify
Copy link
Copy Markdown

netlify Bot commented Apr 5, 2026
edited
Loading

Deploy Preview for kubernetes-sigs-network-policy-api ready!

Name Link
🔨 Latest commit 2417bb7
🔍 Latest deploy log https://app.netlify.com/projects/kubernetes-sigs-network-policy-api/deploys/6a1e6ca4f80d3700080c465c
😎 Deploy Preview https://deploy-preview-366--kubernetes-sigs-network-policy-api.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Apr 5, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tssurya

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested review from aojea and danwinship April 5, 2026 17:05
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Apr 5, 2026
@tssurya tssurya mentioned this pull request Apr 5, 2026
Draft
danwinship
danwinship reviewed Apr 6, 2026
View reviewed changes
Comment thread npeps/npep-133-fqdn-egress-selector.md Outdated
Comment thread npeps/npep-133-fqdn-egress-selector.md Outdated
Comment thread npeps/npep-133-fqdn-egress-selector.md
Comment thread npeps/npep-133-fqdn-egress-selector.md
tssurya
tssurya commented Apr 7, 2026
View reviewed changes
Comment thread npeps/npep-133-fqdn-egress-selector.md Outdated
@tssurya tssurya mentioned this pull request Apr 8, 2026
Merged
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 9, 2026
@tssurya tssurya force-pushed the fqdn-field-description-update branch from b8a2a6c to 2af60be Compare May 5, 2026 07:30
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 5, 2026
@tssurya tssurya changed the title Update NPEP-133 with Admin-tier restriction, DNS security guidance, and v1alpha2 API Update NPEP-133 with Admin-tier restriction and DNS security guidance Jun 2, 2026
@tssurya
Update NPEP-133 with Admin-tier restriction, DNS security guidance, a…
2417bb7 
…nd CEL

The PR updates the details around domainNames
as discussed in KubeCon Atlanta:
https://docs.google.com/document/d/1AtWQy2fNa4qXRag9cCp5_HsefD7bxKe3ea2RPn8jnSs/edit?tab=t.k47ujuef4zxk#bookmark=id.hl0pbdvwfotd

- Add CEL validation for Accept-only action restriction
- Update API examples to v1alpha2 ClusterNetworkPolicy format
- Add Expected Behavior points for DNS reachability and resolv.conf
- Add Recommended Behavior section covering DNS security concerns,
  grace period, and DNSSEC best practice
- Add Connection Lifecycle section for policy add/remove semantics
@tssurya tssurya force-pushed the fqdn-field-description-update branch from 2af60be to 2417bb7 Compare June 2, 2026 05:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danwinship danwinship danwinship left review comments

@aojea aojea Awaiting requested review from aojea

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tssurya @k8s-ci-robot @danwinship