Update NPEP-133 with Admin-tier restriction and DNS security guidance#366
Open
tssurya wants to merge 1 commit into
Open
Update NPEP-133 with Admin-tier restriction and DNS security guidance#366tssurya wants to merge 1 commit into
tssurya wants to merge 1 commit into
Conversation
✅ Deploy Preview for kubernetes-sigs-network-policy-api ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tssurya The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
danwinship
reviewed
Apr 6, 2026
tssurya
commented
Apr 7, 2026
k8s-ci-robot
added
the
needs-rebase
tssurya
force-pushed
the
fqdn-field-description-update
branch
from
b8a2a6c to
2af60be
Compare
k8s-ci-robot
removed
the
needs-rebase
tssurya
changed the title
…nd CEL The PR updates the details around domainNames as discussed in KubeCon Atlanta: https://docs.google.com/document/d/1AtWQy2fNa4qXRag9cCp5_HsefD7bxKe3ea2RPn8jnSs/edit?tab=t.k47ujuef4zxk#bookmark=id.hl0pbdvwfotd - Add CEL validation for Accept-only action restriction - Update API examples to v1alpha2 ClusterNetworkPolicy format - Add Expected Behavior points for DNS reachability and resolv.conf - Add Recommended Behavior section covering DNS security concerns, grace period, and DNSSEC best practice - Add Connection Lifecycle section for policy add/remove semantics
tssurya
force-pushed
the
fqdn-field-description-update
branch
from
2af60be to
2417bb7
Compare
Contributor
Author
|
@danwinship PTAL |
danwinship
reviewed
Jun 16, 2026
| * Currently only `Accept` type rules are proposed. | ||
| * Safely enforcing `Deny` rules based on FQDN selectors is difficult as there | ||
| * Currently only `ACCEPT` type rules are proposed. | ||
| * Safely enforcing `DENY` rules based on FQDN selectors is difficult as there |
Contributor
There was a problem hiding this comment.
Hm... why did you change these? Especially if they're going to be in backticks, they should be the API values, right?
Comment on lines
+444
to
+447
| * **Policy removal**: Existing established connections SHOULD be allowed to | ||
| complete gracefully. New connections SHOULD be denied after the policy is | ||
| removed. This is consistent with the general NetworkPolicy behavior for | ||
| long-running connections. |
Contributor
There was a problem hiding this comment.
that's an open question isn't it? #305
I'd just leave out the "policy removal" section. Removing an FQDN policy should behave just like removing any other policy.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The PR updates the details around domainNames
as discussed in KubeCon Atlanta:
https://docs.google.com/document/d/1AtWQy2fNa4qXRag9cCp5_HsefD7bxKe3ea2RPn8jnSs/edit?tab=t.k47ujuef4zxk#bookmark=id.hl0pbdvwfotd
NOTE to reviewers:
*can mean one or more labels and that's what is present in current OKEP as well