Add network policy filtering for user-v2 networking #4326
Conversation
|
Apologies in advance for dropping a jumbo PR. This is a new feature that I'm interested in continuing to work on in particular for use with AI coding assistants. I recognize there is still polish work to do here but I wanted to get it out shortly after 2.0 as I'm hoping it could be considered for the roadmap. |
skaegi
force-pushed
the
egress-filter
branch
from
818a45b to
ff61d81
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
skaegi
force-pushed
the
egress-filter
branch
3 times, most recently
from
1bf5c85 to
dde5f7f
Compare
There was a problem hiding this comment.
No bandwidth to investigate much during KubeCon, but we should look into whether we can reuse or mimic some existing format in the field of SDN.
We may also want to set up policy for accepting AI-generated codes.
Especially how to ensure that the code is verified by the human submitter, in both technological and legal aspects.
There was a problem hiding this comment.
Sounds good. I'm happy to join an effort to help develop a process for accepting AI-assisted code, as I expect it to become increasingly common. Ultimately, I believe submitters are responsible for every line they submit and should have reviewed it all thoroughly. A checklist and process would be helpful here.
Re: format — The format is quite similar to Calico with a bit of Cilium, as I'm very familiar with those. I didn't go with K8s NetworkPolicy because it lacks "deny," which I've found to be very valuable in the past. I use "priority" vs. "order" as it makes better sense to me. I also made "ips" and "ports" more general to accept common formats instead of breaking things out into more fields.
Another gotcha: I (gulp) used reflection to access the gvproxy stack. I tried many different approaches beforehand, and this was the cleanest in the end, but it would be good to work with the team to expose a public method there.
skaegi
force-pushed
the
egress-filter
branch
4 times, most recently
from
b7bf416 to
ca9a702
Compare
Implements egress traffic filtering with: - Protocol, port, IP/CIDR, and domain-based rules - DNS packet snooping for domain-to-IP tracking - ICMP support (ICMPv4/ICMPv6) - partial - awaiting gvisor fix - Policy validation with strict error checking - DNS tracker with 10k domain limit and TTL expiration Usage: limactl network create NAME --policy policy.yaml Signed-off-by: Simon Kaegi <simon.kaegi@gmail.com>
skaegi
force-pushed
the
egress-filter
branch
from
ca9a702 to
7fe5c70
Compare
2 participants
Implements egress traffic filtering with:
Usage: limactl network create NAME --policy policy.yaml
Signed-off-by: Simon Kaegi simon.kaegi@gmail.com