Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1575

Implement FQDN Egress Peer in OVNK AdminNetworkPolicy

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 75% To Do, 0% In Progress, 25% Done
    • 0

       Goal

      Goal here is to implement https://github.com/kubernetes-sigs/network-policy-api/pull/200 FQDN egress peer in admin network policy API for OVNKubernetes.

       

      Why is this important?

      EgressFirewall DNS Resolution is the downstream-only feature, released in 4.16 as tech preview

      AdminNetworkPolicy (ANP) FQDN is the same functionality, but in upstream k8s.

      We will not be looking to GA EgressFirewall DNS resolution. Instead we will want customers to move to ANP. 

      ANP FQDN API very first version was merged in June 2024, more changes may be required in the future. We will like to spend more cycles doing that. 

      EgressFirewall should be deprecated at some point and replaced with ANP, but it is not possible to do fully automatically, therefore customers will have to do some changes manually

      Customers want to use admin network policies by specifying domains as peers. EgressFirewall supports this: https://issues.redhat.com/browse/NE-463 behind a feature gate today. However it will be nice to just get the same backend implementation work that was done for supporting wildcard DNS rules can be used here as well. See https://network-policy-api.sigs.k8s.io/npeps/npep-133/ for details. Besides that, moving forward we'd like to deprecate EFW and spend cycles on ANP since that is the future.

       

      Dependencies (internal and external)

      1. https://network-policy-api.sigs.k8s.io/npeps/npep-133/
      2. https://github.com/kubernetes-sigs/network-policy-api/pull/200
      3.  

      ...

      Previous Work (Optional):

      1. https://github.com/ovn-org/ovn-kubernetes/pull/4045 
      2.  

      Open questions::

      1. ...

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

              ddharwar@redhat.com Deepthi Dharwar
              sseethar Surya Seetharaman
              Ashley Hardin Ashley Hardin
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: