Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NYS2AWS-43 refine controls on netpols & cilium netpols #164

Closed
wants to merge 4 commits into from
Closed

NYS2AWS-43 refine controls on netpols & cilium netpols #164

wants to merge 4 commits into from

Conversation

RVanhuysseXenit
Copy link
Contributor

cilium netpolls were tied to a 'cni' variable, which was not correct, given that cilium can be chained to other cnis (as is the case for aws)

@RVanhuysseXenit RVanhuysseXenit self-assigned this Oct 10, 2024
@gert-glassee
Copy link
Contributor

I do not understand the need for this. Is there a specific need to have cilium network policies disabled when the cni=cilium? or to have them enabled when cni=aws?
In case of dsny isn't it enough to set cni=cilium to get both types of network rules applied?

@RVanhuysseXenit
Copy link
Contributor Author

We can run it as is, but I think we're setting ourselves up for failure in the future.
Usage of cilium netpols is not tied to usage of the cilium cni, and using the cilium cni does not mean we want to enable the corresponding netpols immediately.

@vierbergenlars
Copy link
Member

vierbergenlars commented Oct 28, 2024
edited
Loading

I think the general.cni value should be removed completely and replaced with networkPolicies.cilium.enabled.

At this point, it only affects if there are cilium network policies enabled or not, and that setting can better be moved to a more explicit networkPolicies.cilium.enabled.

The choice of CNI itself should not really affect any other part of the software, only the existence of cilium network policies.

thijslemmens
thijslemmens requested changes Oct 28, 2024
View reviewed changes
README.md
@@ -189,13 +189,22 @@ nginx rules to redirect the normal pages to a 503 maintenance page.
* Default: true
* Description: A field to enabled/disable network policies.

#### `general.networkPolicies.cilium.enabled`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how is this different from general.networkPolicies.enabled if cni is cilium?
I think this is only disabling the Cilium specific ones? Why would you use cilium as general.cni and disable the cilium policies?

@thijslemmens thijslemmens changed the title Nys2aws-43 refine controls on netpols & cilium netpols NYS2AWS-43 refine controls on netpols & cilium netpols Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thijslemmens thijslemmens thijslemmens requested changes

@vierbergenlars vierbergenlars vierbergenlars approved these changes

@pvriel pvriel Awaiting requested review from pvriel

@gert-glassee gert-glassee Awaiting requested review from gert-glassee

Assignees

@RVanhuysseXenit RVanhuysseXenit

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@RVanhuysseXenit @gert-glassee @vierbergenlars @thijslemmens