Update the user stories to ClusterNetworkPolicy

bowei · bowei · commit 1f3a55b75d54 · 2025-09-19T14:57:05.000-07:00
Fixes the user-story-*.yamls
diff --git a/site-src/user-stories.md b/site-src/user-stories.md
@@ -3,24 +3,26 @@
 **ALL** Network Policy API resources and future API developments should start with
 a **well-defined** and **intentional** user story(s).
 
-## AdminNetworkPolicy + BaselineAdminNetworkPolicy
+## ClusterNetworkPolicy (CNP)
 
-### v1alpha1 User Stories
+### User Stories
+
+The following user stories drive the concepts for the adminstrative resources.
+Discussions on the user stories can be found here:
+
+* [API KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/2091-admin-network-policy)
+* [KEP PR](https://github.com/kubernetes/enhancements/pull/2522)
 
-The following user stories drive the concepts for the `v1alpha1` version of the
-ANP and BANP resources. More information on how the community ended up here
-can be found in the [API KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/2091-admin-network-policy)
-and in the accompanying [KEP PR](https://github.com/kubernetes/enhancements/pull/2522)
 
 #### Story 1: Deny traffic at a cluster level
 
 As a cluster admin, I want to apply non-overridable deny rules
 to certain pod(s) and(or) Namespace(s) that isolate the selected
 resources from all other cluster internal traffic.
 
-For Example: In this diagram there is a AdminNetworkPolicy applied to the
-`sensitive-ns` denying ingress from all other in-cluster resources for all
-ports and protocols.
+For Example: In this diagram there is a `ClusterNetworkPolicy` in the `Admin`
+tier applied to the `sensitive-ns` denying ingress from all other in-cluster
+resources for all ports and protocols.
 
 ![Alt text](./images/explicit_deny.png?raw=true "Explicit Deny")
 
@@ -35,9 +37,10 @@ As a cluster admin, I want to apply non-overridable allow rules to
 certain pods(s) and(or) Namespace(s) that enable the selected resources
 to communicate with all other cluster internal entities.  
 
-For Example: In this diagram there is a AdminNetworkPolicy applied to every
-namespace in the cluster allowing egress traffic to `kube-dns` pods, and ingress
-traffic from pods in `monitoring-ns` for all ports and protocols.
+For Example: In this diagram there is a `ClusterNetworkPolicy` in the `Admin`
+tier applied to every namespace in the cluster allowing egress traffic to
+`kube-dns` pods, and ingress traffic from pods in `monitoring-ns` for all ports
+and protocols.
 
 ![Alt text](./images/explicit_allow.png?raw=true "Explicit Allow")
 
@@ -52,10 +55,10 @@ As a cluster admin, I want to explicitly delegate traffic so that it
 skips any remaining cluster network policies and is handled by standard
 namespace scoped network policies.
 
-For Example: In the diagram below egress traffic destined for the service svc-pub
-in namespace bar-ns-1 on TCP port 8080 is delegated to the k8s network policies
-implemented in foo-ns-1 and foo-ns-2. If no k8s network policies touch the
-delegated traffic the traffic will be allowed.
+For Example: In the diagram below egress traffic destined for the service
+`svc-pub` in namespace `bar-ns-1` on TCP port 8080 is delegated to the k8s
+network policies implemented in `foo-ns-1` and `foo-ns-2`. If no k8s network
+policies match the delegated traffic, the traffic will be allowed.
 
 ![Alt text](./images/delegation.png?raw=true "Delegate")
 
@@ -66,6 +69,8 @@ delegated traffic the traffic will be allowed.
 
 #### Story 4: Create and Isolate multiple tenants in a cluster
 
+(Currently not implementable)
+
 As a cluster admin, I want to build tenants in my cluster that are isolated from
 each other by default. Tenancy may be modeled as 1:1, where 1 tenant is mapped
 to a single Namespace, or 1:n, where a single tenant may own more than 1 Namespace.
@@ -93,7 +98,7 @@ so that all intra-cluster traffic (except for certain essential traffic) is
 blocked by default. Namespace owners will need to use NetworkPolicies to
 explicitly allow known traffic. This follows a whitelist model which is
 familiar to many security administrators, and similar
-to how [kubernetes suggests network policy be used](https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-policies).
+to how [kubernetes suggests network policy be used][k8s-default-policies].
 
 For Example: In the following diagram all Ingress traffic to every cluster
 resource is denied by a baseline deny rule.
@@ -104,3 +109,5 @@ resource is denied by a baseline deny rule.
     ```yaml
     --8<-- "user-story-examples/user-story-5.yaml"
     ```
+
+[k8s-default-policies]: https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-policies
diff --git a/site-src/user-story-examples/user-story-1.yaml b/site-src/user-story-examples/user-story-1.yaml
@@ -1,8 +1,9 @@
-apiVersion: policy.networking.k8s.io/v1alpha1
-kind: AdminNetworkPolicy
+apiVersion: policy.networking.k8s.io/v1alpha2
+kind: ClusterNetworkPolicy
 metadata:
   name: cluster-wide-deny-example
 spec:
+  tier: Admin
   priority: 10
   subject:
     namespaces:
@@ -12,5 +13,5 @@ spec:
     - action: Deny
       from:
       - namespaces:
-         namespaceSelector: {}
+          matchLabels: {} # Match all namespaces.
       name: select-all-deny-all
diff --git a/site-src/user-story-examples/user-story-2.yaml b/site-src/user-story-examples/user-story-2.yaml
@@ -1,26 +1,26 @@
-apiVersion: policy.networking.k8s.io/v1alpha1
-kind: AdminNetworkPolicy
+apiVersion: policy.networking.k8s.io/v1alpha2
+kind: ClusterNetworkPolicy
 metadata:
   name: cluster-wide-allow-example
 spec:
+  tier: Admin
   priority: 30
   subject:
     namespaces: {}
   ingress:
-    - action: Allow
+    - action: Accept
       from:
       - namespaces:
-          namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: monitoring-ns
+          matchLabels:
+            kubernetes.io/metadata.name: monitoring-ns
   egress:
-    - action: Allow
-      to:
-      - pods:
-          namespaces:
-            namespaceSelector:
-              matchlabels:
-                kubernetes.io/metadata.name: kube-system
-          podSelector:
-            matchlabels:
-              app: kube-dns
+  - action: Accept
+    name: allow-kube-dns-egress
+    to:
+    - pods:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: kube-system
+        podSelector:
+          matchLabels:
+            app: kube-dns
diff --git a/site-src/user-story-examples/user-story-3.yaml b/site-src/user-story-examples/user-story-3.yaml
@@ -1,13 +1,14 @@
-apiVersion: policy.networking.k8s.io/v1alpha1
-kind: AdminNetworkPolicy
+apiVersion: policy.networking.k8s.io/v1alpha2
+kind: ClusterNetworkPolicy
 metadata:
   name: pub-svc-delegate-example
 spec:
+  tier: Admin
   priority: 20
   subject:
     namespaces: {}
   egress:
-  - action: Pass
+  - action: Pass # to be handled by NetworkPolicy.
     to:
     - pods:
         namespaceSelector:
diff --git a/site-src/user-story-examples/user-story-4-v1.yaml b/site-src/user-story-examples/user-story-4-v1.yaml
@@ -1,9 +1,10 @@
 
-apiVersion: policy.networking.k8s.io/v1alpha1
-kind: AdminNetworkPolicy
+apiVersion: policy.networking.k8s.io/v1alpha2
+kind: ClusterNetworkPolicy
 metadata:
   name: tenant-creation-example
 spec:
+  tier: Admin
   priority: 50
   subject:
     namespaces:
diff --git a/site-src/user-story-examples/user-story-4-v2.yaml b/site-src/user-story-examples/user-story-4-v2.yaml
@@ -1,8 +1,9 @@
-apiVersion: policy.networking.k8s.io/v1alpha1
-kind: AdminNetworkPolicy
+apiVersion: policy.networking.k8s.io/v1alpha2
+kind: ClusterNetworkPolicy
 metadata:
   name: tenant-creation-example
 spec:
+  tier: Admin
   priority: 50
   subject:
     namespaces:
@@ -15,5 +16,4 @@ spec:
           # See https://network-policy-api.sigs.k8s.io/npeps/npep-122/ for more details.
     - action: Deny   # Deny everything else other than same tenant traffic
       from:
-      - namespaces:
-          namespaceSelector: {}
+      - namespaces: {}
diff --git a/site-src/user-story-examples/user-story-5.yaml b/site-src/user-story-examples/user-story-5.yaml
@@ -1,12 +1,13 @@
-apiVersion: policy.networking.k8s.io/v1alpha1
-kind: BaselineAdminNetworkPolicy
+apiVersion: policy.networking.k8s.io/v1alpha2
+kind: ClusterNetworkPolicy
 metadata:
   name: default
 spec:
+  tier: Baseline
+  priority: 10
   subject:
     namespaces: {}
   ingress:
     - action: Deny   # zero-trust cluster default security posture
       from:
-      - namespaces:
-          namespaceSelector: {}
+      - namespaces: {}
