Support NodeSelector in ACNP/ANP ingress/egress rules

[wenqiq]

Describe the problem/challenge you have

Restrict traffic from Pods to particular Nodes.

Support NodeSelector in ACNP/ANP ingress/egress rules, by defining NetworkPolicy with nodeSelector we can create rules
to restrict the traffic to/from certain Kubernetes Nodes for specific Pods.

Describe the solution you'd like

Add a selector in an ingress from section or egress to section. NodeSelector selects particular Nodes in the cluster. The selected Node's IPs will be set as "sources" if nodeSelector set iningress section, or as "destinations" if set in egress section.

For example, The following policy will drop egress traffic from Pods with labels 'app=antrea-test-app' to any node with the label kubernetes.io/role=control-plane on TCP ports 6443 (kube-apiserver).

apiVersion: crd.antrea.io/v1alpha1
kind: ClusterNetworkPolicy
metadata:
  name: egress-control-plane
spec:
  priority: 1
  appliedTo:
    - podSelector:
        matchLabels:
          app: antrea-test-app
  egress:
    - action: Drop
      to:
        - nodeSelector:
            matchLabels:
              node-role.kubernetes.io/control-plane: ""
      ports:
        - protocol: TCP
          port: 6443

Anything else you would like to add?

[tnqn]

Why nodeSelector is not in from or to like other selectors?

[wenqiq]

Why nodeSelector is not in from or to like other selectors?

Thanks for the reply.
Maybe this feature can be explained in more detail in the following example:

apiVersion: crd.antrea.io/v1alpha1
kind: ClusterNetworkPolicy
metadata:
  name: ingress-control-plane
spec:
  priority: 1
  appliedTo:
    - nodeSelector:
          matchLabels:
            kubernetes.io/role: control-plane
  ingress:
    - action: Allow  # Allows ingress to the Kubernetes API server.
      from:
      - podSelector: {}
      ports:
        - protocol: TCP
          port: 6443

    - action: Allow    # Allows all traffic to localhost.
      from:
        - podSelector:
           matchLabels: 
             name: antrea-test-app-5cffdb86df-4nnd51
        - ipBlock:
            cidr: 127.0.0.0/8

    - action: Allow   # For multi-control-plane cluster
      from:
        - nodeSelector:
           matchLabels:
            kubernetes.io/role: control-plane
      ports:
        - protocol: TCP
          port: 2380 
        - protocol: TCP
          port: 10250 

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days

[wenqiq]

Why nodeSelector is not in from or to like other selectors?

Thanks for the reply. Maybe this feature can be explained in more detail in the following example:

Correct the last reply. The NodeSelector is only in 'from' or 'to' sections. If we add NodeSelector in 'appliedTo', maybe we need to implement the Host-Firewall, that’ll be a more big feature.

apiVersion: crd.antrea.io/v1alpha1
kind: ClusterNetworkPolicy
metadata:
  name: egress-control-plane
spec:
  priority: 1
  appliedTo:
    - podSelector:
        matchLabels:
          app: antrea-test-app
  egress:
    - action: Drop
      to:
        - nodeSelector:
            matchLabels:
              node-role.kubernetes.io/control-plane: ""
      ports:
        - protocol: TCP
          port: 6443

[wenqiq]

See also google doc: Antrea NetworkPolicy NodeSelector Design Docs