Support admin network policy API

[tssurya]

Feature request

sig-network-policy-api working group has a new set of APIs for implementing admin network policies: https://network-policy-api.sigs.k8s.io/

Use case

This can be particularly useful:

1. for creating cluster scoped policies that span across namespaces to set them up before the namespace is created
2. policies that cluster admins can create that are non-overridable by the developer nework policies

[oilbeater]

@tssurya, thank you for providing this valuable information. The set of APIs you have shared appears to offer solutions to some of the challenges faced by our community. We will carefully consider incorporating it into our long-term roadmap.

[tssurya]

Thanks @oilbeater ! Also note that OVN added the "Hierarchical ACLs" feature to allow for ANP/NP/BANP APIs to exist, so that could be of great help to KubeOVN as well!

[github-actions]

Issues go stale after 60d of inactivity. Please comment or re-open the issue if you are still interested in getting this issue fixed.

[github-actions]

Issues go stale after 60d of inactivity. Please comment or re-open the issue if you are still interested in getting this issue fixed.

[wfnuser]

@oilbeater I'm interested in this one. I think it can help me to get started with the project. Can you assign it to me?

[oilbeater]

@wfnuser Thank you for expressing interest in contributing to Kube-OVN. Do you have a plan in mind for when to start and finish this feature? We are aiming to integrate this feature into Kube-OVN by August. Implementing this feature may be challenging and require significant effort. However, we are more than willing to assist you throughout the process. Please let us know if this timeline works for you.

[wfnuser]

@wfnuser Thank you for expressing interest in contributing to Kube-OVN. Do you have a plan in mind for when to start and finish this feature? We are aiming to integrate this feature into Kube-OVN by August. Implementing this feature may be challenging and require significant effort. However, we are more than willing to assist you throughout the process. Please let us know if this timeline works for you.

Yep. Recently I have already started to hack the source code and made some progress (mostly about the security group implementation). If the deadline is like August, I guess I will have enough time to tackle this issue. Let me try to get some more info about it, and make a plan for it. (Currently I'm quite new to k8s and the ecology. )
And if I found it truely is a huge challenge for me, I will let you know before next Thursday. And pick some other easier issues. Does it sound reasonable to you.

[oilbeater]

hi, @wfnuser how are things going now?

[wfnuser]

@oilbeater Sorry for the late reply. I have some food poisoning issue during the holiday. 😂
I acknowledge that it's a tough task for me, and I plan to tackle some smaller issues first. Please feel free to delegate it to someone else.

[tssurya]

@oilbeater : Hi! I am from the upstream sig-network-policy-api community. We are tracking CNI implementations who have implemented ANP/BANP here kubernetes-sigs/network-policy-api#257
Shall I add Kube-OVN to the mix?

Another thing we have is a repo maintaining the test results of the implementations: something similar to https://github.com/kubernetes-sigs/network-policy-api/blob/main/conformance/reports/v0.1.2/ovn-kubernetes.yaml see https://network-policy-api.sigs.k8s.io/npeps/npep-137-conformance-profiles/#introduction for details.. I was curious if KubeOVN was running the conformance test suite we have for ANP or would be interested in running it?

[oilbeater]

@tssurya Hi, I also happened to see this document. We originally planned to update this document after Kube-OVN new release. Since you are also preparing this status update, I think we can go ahead and include Kube-OVN now.

For the conformance tests, we have tested it before and try to add it to the e2e test here: #4475. However, we meet some issues that the policy need some time to take effect but the tests run too quick and lead to flakes. I thinks the test could add some retry or wait to make the result more stable.

[tssurya]

@tssurya Hi, I also happened to see this document. We originally planned to update this document after Kube-OVN new release. Since you are also preparing this status update, I think we can go ahead and include Kube-OVN now.

@oilbeater: That makes sense! I will include KubeOVN as well in the list, one qq have you implemented nodes and networks peers for egress yet?

For the conformance tests, we have tested it before and try to add it to the e2e test here: #4475. However, we meet some issues that the policy need some time to take effect but the tests run too quick and lead to flakes. I thinks the test could add some retry or wait to make the result more stable.

I see... yea if there are parts of test framework that need changes we are happy to help out.. there are some tunable parameters actually; for example we set the timeout to 300seconds: https://github.com/ovn-org/ovn-kubernetes/blob/8551af5a88ee86169b433d9b2edf304440a02438/test/conformance/network_policy_v2_test.go#L76 in out case

As for retries that's also a great point, if you are willing to submit a PR to include retries in the test framework based on configs, we'd be happy to accept that..

[tssurya]

AH I see https://github.com/kubeovn/kube-ovn/pull/4290/files#diff-b07406499a8b20014cd0df4d89fa140b1e3bd56ffd02654a2fdcd3da4b75d55eR721 nodes and networks are not supported yet... any plans to have support for that?

[oilbeater]

any plans to have support for that?

@tssurya The node and network feature is still experiment in the API spec. We are planing to support them when they are in a more stable stage.