Skip to content

Commit

Permalink
Merge master into dev-1.20 branch to fix Integration Branch
Browse files Browse the repository at this point in the history
  • Loading branch information
reylejano-rxm committed Nov 4, 2020
2 parents b436a81 + 04787a1 commit 3ea3856
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 5 deletions.
5 changes: 5 additions & 0 deletions content/en/_index.html
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,11 @@ <h2>The Challenges of Migrating 150+ Microservices to Kubernetes</h2>
<br>
<br>
<a href="https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/?utm_source=kubernetes.io&utm_medium=nav&utm_campaign=kccncna20" button id="desktopKCButton">Attend KubeCon NA virtually on November 17-20, 2020</a>
<br>
<br>
<br>
<br>
<a href="https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/?utm_source=kubernetes.io&utm_medium=nav&utm_campaign=kccnceu21" button id="desktopKCButton">Attend KubeCon EU virtually on May 4 – 7, 2021</a>
</div>
<div id="videoPlayer">
<iframe data-url="https://www.youtube.com/embed/H06qrNmGqyE?autoplay=1" frameborder="0" allowfullscreen></iframe>
Expand Down
17 changes: 14 additions & 3 deletions content/en/docs/concepts/services-networking/network-policies.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,12 @@ weight: 50

<!-- overview -->

If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster. NetworkPolicies are an application-centric construct which allow you to specify how a {{< glossary_tooltip text="pod" term_id="pod">}} is allowed to communicate with various network "entities" (we use the word "entity" here to avoid overloading the more common terms such as "endpoints" and "services", which have specific Kubernetes connotations) over the network.
If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster. NetworkPolicies are an application-centric construct which allow you to specify how a {{< glossary_tooltip text="pod" term_id="pod">}} is allowed to communicate with various network "entities" (we use the word "entity" here to avoid overloading the more common terms such as "endpoints" and "services", which have specific Kubernetes connotations) over the network.

The entities that a Pod can communicate with are identified through a combination of the following 3 identifiers:

1. Other pods that are allowed (exception: a pod cannot block access to itself)
2. Namespaces that are allowed
2. Namespaces that are allowed
3. IP blocks (exception: traffic to and from the node where a Pod is running is always allowed, regardless of the IP address of the Pod or the node)

When defining a pod- or namespace- based NetworkPolicy, you use a {{< glossary_tooltip text="selector" term_id="selector">}} to specify what traffic is allowed to and from the Pod(s) that match the selector.
Expand Down Expand Up @@ -208,7 +208,18 @@ You can create a "default" policy for a namespace which prevents all ingress AND

This ensures that even pods that aren't selected by any other NetworkPolicy will not be allowed ingress or egress traffic.

# What you CAN'T do with network policies (at least, not yet)
## SCTP support

{{< feature-state for_k8s_version="v1.19" state="beta" >}}

As a beta feature, this is enabled by default. To disable SCTP at a cluster level, you (or your cluster administrator) will need to disable the `SCTPSupport` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) for the API server with `--feature-gates=SCTPSupport=false,…`.
When the feature gate is enabled, you can set the `protocol` field of a NetworkPolicy to `SCTP`.

{{< note >}}
You must be using a {{< glossary_tooltip text="CNI" term_id="cni" >}} plugin that supports SCTP protocol NetworkPolicies.
{{< /note >}}

## What you can't do with network policies (at least, not yet)

As of Kubernetes 1.20, the following functionality does not exist in the NetworkPolicy API, but you might be able to implement workarounds using Operating System components (such as SELinux, OpenVSwitch, IPTables, and so on) or Layer 7 technologies (Ingress controllers, Service Mesh implementations) or admission controllers. In case you are new to network security in Kubernetes, its worth noting that the following User Stories cannot (yet) be implemented using the NetworkPolicy API. Some (but not all) of these user stories are actively being discussed for future releases of the NetworkPolicy API.

Expand Down
2 changes: 1 addition & 1 deletion content/en/docs/concepts/storage/storage-classes.md
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ parameters:
volumeBindingMode: WaitForFirstConsumer
allowedTopologies:
- matchLabelExpressions:
- key: topology.kubernetes.io/zone
- key: failure-domain.beta.kubernetes.io/zone
values:
- us-central1-a
- us-central1-b
Expand Down
2 changes: 1 addition & 1 deletion content/en/docs/concepts/storage/volumes.md
Original file line number Diff line number Diff line change
Expand Up @@ -449,7 +449,7 @@ spec:
required:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/zone
- key: failure-domain.beta.kubernetes.io/zone
operator: In
values:
- us-central1-a
Expand Down

0 comments on commit 3ea3856

Please sign in to comment.