Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the example of ACNP for zero-trust #3108

Merged
merged 1 commit into from
Dec 14, 2021
Merged

Update the example of ACNP for zero-trust #3108

merged 1 commit into from
Dec 14, 2021

Conversation

tnqn
Copy link
Member

@tnqn tnqn commented Dec 9, 2021

It doesn't make sense that the ACNP for zero-trust denies traffic
from/to Pods but allows external addresses.

Signed-off-by: Quan Tian qtian@vmware.com

@tnqn
Update the example of ACNP for zero-trust
038d540 
It doesn't make sense that the ACNP for zero-trust denies traffic
from/to Pods but allows external addresses.

Signed-off-by: Quan Tian <qtian@vmware.com>
@tnqn
Copy link
Member Author

tnqn commented Dec 9, 2021

Some people was following the example and realized this was not really zero-trust as it allows external addresses. Please let me know if this change makes sense to you. @Dyanngg @GraysonWu
I also wonder whether we should change the drop rule of strict-ns-isolation to match all addresses instead of pods in other namespaces only.

@Dyanngg
Copy link
Contributor

Dyanngg commented Dec 9, 2021

Thanks for the fix. To me, I feel like we can keep the strict-ns-isolation as is, since by its name it's purpose is suppose to isolate namespaces from each other. However I'm also fine if we change that drop rule to match all, or maybe simply provide a comment saying that if the rule is written like namespaceSelector: {} it only drops from other Namespaces, and empty drops all.

@tnqn
Copy link
Member Author

tnqn commented Dec 13, 2021

Thanks for the fix. To me, I feel like we can keep the strict-ns-isolation as is, since by its name it's purpose is suppose to isolate namespaces from each other. However I'm also fine if we change that drop rule to match all, or maybe simply provide a comment saying that if the rule is written like namespaceSelector: {} it only drops from other Namespaces, and empty drops all.

@Dyanngg Sure, I will leave strict-ns-isolation as is.

@tnqn
Copy link
Member Author

tnqn commented Dec 13, 2021

/skip-all

@tnqn tnqn merged commit a5114e7 into antrea-io:main Dec 14, 2021
@tnqn tnqn deleted the doc-zero-trust-policy branch December 14, 2021 02:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Dyanngg Dyanngg Dyanngg approved these changes

@GraysonWu GraysonWu Awaiting requested review from GraysonWu

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tnqn @Dyanngg