Skip to content

[RFC][POC][WIP] Multi Cluster Network Policy Flat model #217

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[RFC][POC][WIP] Multi Cluster Network Policy Flat model #217

wants to merge 1 commit into from
+1,178 −5

Conversation

aojea
Copy link
Contributor

@aojea aojea commented Aug 19, 2025
edited
Loading

Implement flat model of network policies across clusters

Ref: kubernetes-sigs/network-policy-api#311

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Aug 19, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Aug 19, 2025
@aojea aojea changed the title Multicluster [WIP] [RFC] Triggering CI Aug 19, 2025
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 19, 2025
@aojea aojea added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. and removed approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Aug 19, 2025
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 19, 2025
@aojea aojea changed the title [WIP] [RFC] Triggering CI [WIP] [RFC] NPEP-308 Extended Network Policy API multicluster Aug 19, 2025
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 19, 2025
@aojea aojea mentioned this pull request Aug 19, 2025
Closed
@aojea aojea force-pushed the multicluster branch 14 times, most recently from f675f23 to c45f07f Compare August 25, 2025 10:25
Copilot
Copilot AI reviewed Aug 25, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements NPEP-308 Extended Network Policy API multicluster support, enabling network policies to be enforced across multiple Kubernetes clusters. The implementation introduces multi-cluster awareness through cluster labeling and scope annotations.

Key Changes:

  • Added multicluster network policy evaluator with cross-cluster and cluster-local scopes
  • Implemented multicluster IP tracker for sharing pod information across clusters
  • Created comprehensive e2e test suite for multicluster scenarios

Reviewed Changes

Copilot reviewed 16 out of 18 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
plugins/multicluster/multicluster_networkpolicy.go Core multicluster network policy evaluator implementation
plugins/multicluster/multicluster_networkpolicy_test.go Unit tests for multicluster network policy evaluation
cmd/kube-network-policies/multicluster/main.go Main entry point for multicluster network policy agent
cmd/kube-ip-tracker/multicluster/main.go Multicluster IP tracker service implementation
tests/e2e_multicluster.bats End-to-end tests for multicluster functionality
tests/e2e_standard.bats Updated standard e2e tests with cluster setup
tests/e2e_npa_v1alpha1.bats Updated NPA e2e tests with cluster setup
pkg/networkpolicy/networkpolicy.go Exported helper functions for multicluster use
pkg/networkpolicy/networkpolicy_test.go Updated tests to use exported functions
install-multicluster.yaml Deployment manifest for multicluster components
docs/multicluster.md User guide for multicluster setup
Makefile Build targets for multicluster binaries
Dockerfile.iptracker Docker build for IP tracker variants
go.mod Added fsnotify dependency for file watching

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@aojea aojea force-pushed the multicluster branch 2 times, most recently from 038c960 to a4e3e10 Compare August 26, 2025 22:28
@aojea aojea changed the title [WIP] [RFC] NPEP-308 Extended Network Policy API multicluster [WIP] Multi Cluster Network Policy Flat model Aug 27, 2025
@aojea aojea changed the title [WIP] Multi Cluster Network Policy Flat model [RFC][POC][WIP] Multi Cluster Network Policy Flat model Aug 27, 2025
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 27, 2025
@aojea aojea force-pushed the multicluster branch 2 times, most recently from 4a07ae2 to 4b63c3c Compare August 27, 2025 20:38
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 28, 2025
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 28, 2025
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 28, 2025
@aojea aojea force-pushed the multicluster branch 2 times, most recently from 4708ad9 to 8efb2a4 Compare August 28, 2025 13:31
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 28, 2025
@aojea aojea force-pushed the multicluster branch 7 times, most recently from 8fbc531 to c858cd5 Compare August 28, 2025 21:25
@aojea
multicluster
06fa76d 
based on a flat model and namespace seamless SIG Multicluster concept.

Network Policies are cluster local.
Selectors are cluster set global.
Administrators MUST own the label schema to apply multi cluster
policies.

avoid conflict on artifacts
skitt
skitt reviewed Sep 1, 2025
View reviewed changes
docs/multicluster.md
The multi-cluster feature is composed of two main components:

* **`kube-ip-tracker`**: A central component that runs as a **Deployment** in
each cluster. It watches for `Pods`, `Namespaces`, and `Nodes` in all
Copy link
Member

@skitt skitt Sep 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given how it works, it seems it could technically run in only one cluster (assuming a flat network), with the associated concerns regarding availability of course — but an unreachable IP tracker would imply an unreachable cluster so policy decidability at that point would be moot. (Not implying this is necessarily a good idea, just thinking out loud.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, but the recommended options is that you run a deployment with a kube-ip-tracer in EACH cluster.
This creates a full mesh and this guarantee that the local network policies depend of a component that runs in its own cluster.

@aojea
Copy link
Contributor Author

aojea commented Sep 24, 2025

moved to its own project https://github.com/gke-labs/multicluster-network-policy , we can always bring it if we standardize

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 16, 2025
@k8s-ci-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@danwinship danwinship Awaiting requested review from danwinship

@thockin thockin Awaiting requested review from thockin

+1 more reviewer

@skitt skitt skitt left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aojea @k8s-ci-robot @skitt