-
Notifications
You must be signed in to change notification settings - Fork 338
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Formatted networkPolicy to match feature documentation template #4467
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thank you for the contribution!
78e13ae
to
6ecd30b
Compare
Resolved reviewer suggestions,changed wording to make documentation more clear |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some more nits
[Kubernetes NetworkPolicy documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies) | ||
|
||
[Kubernetes NetworkPolicy API reference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#networkpolicy-v1-networking-k8s-io) | ||
|
||
By default, the network traffic from and to K8s pods is not restricted in any way. Using NetworkPolicy is a way to enforce network isolation of selected pods. When a pod is selected by a NetworkPolicy allowed traffic is specified by the `Ingress` and `Egress` sections. | ||
Network Policy is a resource, which helps enforce the network isolation of pods. By default, the network traffic from and to K8s pods are not restricted in any way: NetworkPolicy resources allow us to enable and/or disable specific dataflows at a pod level. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the current version is more accurate, can we just leave it as is?
|
||
#### **Complex Filtering** | ||
|
||
Each egress/ingress rule is designed to be combined with other rules to create more complex filters. Note that NetworkPolicies follow a whitelist model, in which only the rules specified are allowed, everything else will be denied In this example the application allows ingress traffic from both the db_namespace and content servers located in the 10.16.24.0/24 subnet while only allowing egress through 173.23.32.4/32 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"in which only the rules specified are allowed, everything else will be denied"
only specified connections are allowed?
also a dot is missing in the end of that sentence.
"while only allowing egress through 173.23.32.4/32" - not sure what through means here, did you mean to?
|
||
## Best Practices | ||
|
||
NetworkPolicies work as whitelists not blacklists, so it is not the best tool for specifically denying specific dataflows. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
specifically denying specific dataflows. -> denying specific connections?
Signed-off-by: Daniel Zhou <danieltianqizhou@gmail.com>
I don't think all the comments were resolved, @dtzhou2 can you please take another look? |
What this PR does and why is it needed
Reformatted networkPolicy to match feature documentation template. Added more examples detailing different types of networkPolicies. Reworded certain sections to make more documentation more clear and easy to read.
Which issue(s) this PR fixes
Fixes #
Special notes for reviewers
How to verify it
Details to documentation updates
Reformatted networkPolicy to match feature documentation template. Added more examples detailing different types of networkPolicies. Reworded certain sections to make more documentation more clear and easy to read.
Description for the changelog
Does this PR introduce a user-facing change?