The New NetworkPolicy API in Kubernetes 1.7
After focusing on stability in Kubernetes 1.6, version 1.7 (set to be released June 28th) looks to bring as many as 50 new features to Kubernetes, including focuses on federation, networking, and security.
According to Ihor Dvoretskyi, as shared with SDX Central, most of these new capabilities will be initially launched as alpha features. However, in moving to bring these much needed features and advancements to Kubernetes, there will be some significant changes in terms of API capabilities- and possibly stability (in the short term).
One such exciting change includes the release of the new v1 NetworkPolicy API, which replaces the previous v1beta1 NetworkPolicy API. It’s important to note, that while the syntax of the NetworkPolicy remains the same, the behavior will differ slightly.
Two of the changes you need to be aware of are:
» The v1beta1 NetworkPolicy API Has Been Deprecated
The v1beta1 version of the NetworkPolicy API has been deprecated in favor of moving forward with the new behaviors and updating the behavior of the extensions API to allow for future expansion and development.Keep in mind that while the v1 NetworkPolicy API eclipses the existing beta, the new API endpoint will only be available on Kubernetes 1.7+ (as older versions do not include the v1 API code). As such, as you work towards upgrading, you’ll want to ensure that you are using the correct version of Project Calico for the NetworkPolicy behavior you want.
» The DefaultDeny Annotation Has Been Removed
One of the bigger changes in Kubernetes 1.7 is the removal of the DefaultDeny annotation. This means that when upgrading, you should first delete any existing NetworkPolicy objects in namespaces that previously did not have the “DefaultDeny” annotation (as this may cause Kubernetes to unintentionally block traffic now).
For those objects with the “DefaultDeny” annotation, you can replicate it’s past behavior by creating a NetworkPolicy that selects all pods but does not allow any traffic, like so:
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: default-deny spec: podSelector:
Using Project Calico with Kubernetes 1.7
If you want to try out the new NetworkPolicy behavior you can do it today by installing Calico v2.3.0 and Kubernetes v1.7.0-beta.3.
Note that while currently only the Kubernetes datastore driver implements the new behavior, we’re hard at work updating Project Calico to be able to utilize both APIs when using etcd as well, so stay tuned!
But again, you may need to update your policies as described above, as well as in the Project Calico release notes.