Policy Spec v3

[tgraf]

1. Embed toPorts into the From* and To* structures to make the L3 dependant L4 part obvious and explicitly require the user to specify the wildcard if wanted. This will make it super obvious what is going on at all times.
2. Declare the IngressRule and EgressRule a union which means that only one of FromEndpoints, FromRequires, FromCIDR and FromEntities can be specified. This makes it super obvious that there is no point in combing label based source selector and CIDR based source rules.
3. Only add ToPorts to the From* and To* fields that support L3 dependant L4. This means we would currently exclude FromCIDR and ToCIDR until we have added support for it.

Example:

  endpointSelector:
    matchLabels:
      role: backend
  ingress:
  - fromEndpoints:
    - toPorts:
      - ports:
        - port: "80"
          protocol: TCP

[joestringer]

Are we only intending for (2) to be the case for policy v3? I find the combinations of l3 to be rather confusing even in the existing policy v2. I've proposed a PR for this: #3015.

[tgraf]

Are we only intending for (2) to be the case for policy v3? I find the combinations of l3 to be rather confusing even in the existing policy v2.

Yes

[aanm]

What do you think?

---
endpointSelector:
  matchLabels:
    any:foo: bar
ingress:
- fromEndpoints:
  - endpointSelector:
      matchLabels:
        any:allow: all-ports
  - endpointSelector:
      matchLabels:
        any:restrict: port-111
    toPorts:
    - ports:
      - port: '111'
        protocol: TCP
egress:
- toServices:
  - service:
      k8sServiceSelector:
        selector:
          matchLabels:
            send-to: all-ports
  - service:
      k8sServiceSelector:
        selector:
          matchLabels:
            send-to: port-8080
    toServicePorts:
    - ports:
      - port: '8080'
        protocol: TCP
      - port: '80'
        protocol: TCP
      rules:
        http:
        - path: "/foo"
          method: GET

Note the toServicePorts instead of toPorts to make the user aware it's the service port and not the port where to service is being provided

[joestringer]

I don't know that it's ambiguous enough that it matters to name it differently if it's nested within a service; I would have thought that the nesting implies that the port is relating to the service already.

[tgraf]

Looks good overall. Should we keep fromEndpoints to be a slice? The idea was that multiple FromEndpoints could be combined with a single ToPorts but that no longer makes sense.

The difference is this:

ingress:
- fromEndpoints:
  - endpointSelector:
      matchLabels:
        any:allow: all-ports
  - endpointSelector:
      matchLabels:
        any:restrict: port-111
    toPorts:
    - ports:
      - port: '111'
        protocol: TCP

vs:

ingress:
- fromEndpoints:
    endpointSelector:
      matchLabels:
        any:allow: all-ports
- fromEndpoints:
    endpointSelector:
      matchLabels:
        any:restrict: port-111
    toPorts:
    - ports:
      - port: '111'
        protocol: TCP

[aanm]

Looks good overall. Should we keep fromEndpoints to be a slice?

Yes

The idea was that multiple FromEndpoints could be combined with a single ToPorts but that no longer makes sense.

But that way we can't have FromEndpoints and FromCIDR (or any other From*) in the same ingress rule.