Uploaded image for project: 'Red Hat Advanced Cluster Security'
  1. Red Hat Advanced Cluster Security
  2. ROX-25007

better DNS support for build time netpol generation (np-guard)

Create Feature from Fe...Move to CloseXMLWordPrintable

    • better DNS support for build time netpol generation (np-guard)
    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • True
    • Not Selected
    • Done
    • ROX-11643 - NP-Guard Features for inclusion into roxctl
    • 0% To Do, 0% In Progress, 100% Done
    • Hide
      Behavior Change Notice:
      `roxctl netpol generate` automatically generates dns connections when it identifies the need. By default port 53 is used which can be changed using the `--dnsport` flag. In this release (4.7) , this flag also accepts port *names* (text) in addition to numbers. For example `--dnsport dns`
      Using port names is a more robust method of specifying the port when the service has a name defined.
      OpenShift customers using the the default DNS setting should use this flag to change the default port because OpenShift DNS pod listens to port 5353.
       
      Show
      Behavior Change Notice: `roxctl netpol generate` automatically generates dns connections when it identifies the need. By default port 53 is used which can be changed using the `--dnsport` flag. In this release (4.7) , this flag also accepts port *names* (text) in addition to numbers. For example `--dnsport dns` Using port names is a more robust method of specifying the port when the service has a name defined. OpenShift customers using the the default DNS setting should use this flag to change the default port because OpenShift DNS pod listens to port 5353.  
    • Proposed
    • Security
    • Yes
    • 0

      User Problem

      As an OpenShift developer/DevOps using ACS build time tools ( netpol generate) I want the default generated network policy to support Openshift's DNS.

      While OpenShift dns pod listens on port 5353, the best way to achieve the correct mapping and avoid hard-coding is to use the logical port name `dns` as a string in the network policy itself.

      Since the product is GA, a change of default behavior may warrant a heads-up in release notes and a warning in the command line about the expected change, to be implemented only 1 (or 2 ?) releases later

      Documentation and release notes notes should call out the change in behavior and point affected users to use ` {{--dnsport 53` }}to maintain the older behavior

       

      To summarize, these are the requested changes

      1. extend the ability of --dnsport flag to accept both numbers and strings. 

        

      See also NP-Guard integration roadmap

       

      Definition of Done:

      1. logic implemented and merged into roxctl by IBM team
      2. Tests prepared and successfully passed by IBM team
      3. Documentation is updated by IBM team, working with doc team
      4. PR approved by ACS team

              znevo Ziv Nevo
              bmichael@redhat.com Boaz Michaely
              Boaz Michaely Boaz Michaely
              ACS Merlin (Retired)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: