https://kube-network-policies.sigs.k8s.io/docs/concepts/Recent content in Concepts on Kubernetes Network PoliciesHugoen-ushttps://kube-network-policies.sigs.k8s.io/docs/concepts/architecture/Mon, 01 Jan 0001 00:00:00 +0000https://kube-network-policies.sigs.k8s.io/docs/concepts/architecture/<p>The <code>kube-network-policies</code> project is designed to enforce Kubernetes network policies by intercepting and evaluating network packets in userspace. This is achieved by using <code>NFQUEUE</code> to redirect packets to the controller, which then decides whether to allow or deny them based on a pipeline of policy evaluators.</p> <h2 id="packet-flow">Packet Flow</h2> <p>The following diagram illustrates the flow of a network packet from the Linux kernel to the userspace controller and back:</p> <pre class="mermaid">graph TD Packet[Incoming/Outgoing Packet] --&gt; Kernel[Linux Kernel] Kernel --&gt;|nftables rule matches| NFQ[NFQUEUE] NFQ --&gt;|Intercepted| Controller[Dataplane Controller] Controller --&gt;|Evaluate packet| Engine[Policy Engine] Engine --&gt;|Query Pod Info| PIP[Pod Info Provider] Engine --&gt;|Process through| Pipeline[Policy Evaluators Pipeline] Pipeline --&gt;|Verdict: Accept/Deny| Engine Engine --&gt;|Send Verdict| Controller Controller --&gt;|Set NFQ verdict| Kernel Kernel --&gt;|Allow/Drop packet| Done[Done]</pre> <p>To avoid the performance penalty of sending all packets to userspace, the controller includes logic to only capture packets for pods that are targeted by at least one network policy.</p>https://kube-network-policies.sigs.k8s.io/docs/concepts/policy-evaluators/Mon, 01 Jan 0001 00:00:00 +0000https://kube-network-policies.sigs.k8s.io/docs/concepts/policy-evaluators/<p>The <code>PolicyEvaluator</code> interface is the core abstraction of the packet filtering pipeline in <code>kube-network-policies</code>. Each evaluator is responsible for processing a packet and deciding its outcome based on its policy implementation.</p> <h2 id="the-policyevaluator-interface">The PolicyEvaluator Interface</h2> <p>The interface is defined in <code>pkg/api/interfaces.go</code> (or <code>pkg/networkpolicy/engine.go</code>) as follows:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="kd">type</span> <span class="nx">PolicyEvaluator</span> <span class="kd">interface</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">Name</span><span class="p">()</span> <span class="kt">string</span> </span></span><span class="line"><span class="cl"> <span class="nf">EvaluateIngress</span><span class="p">(</span><span class="nx">ctx</span> <span class="nx">context</span><span class="p">.</span><span class="nx">Context</span><span class="p">,</span> <span class="nx">p</span> <span class="o">*</span><span class="nx">network</span><span class="p">.</span><span class="nx">Packet</span><span class="p">,</span> <span class="nx">srcPod</span><span class="p">,</span> <span class="nx">dstPod</span> <span class="o">*</span><span class="nx">api</span><span class="p">.</span><span class="nx">PodInfo</span><span class="p">)</span> <span class="p">(</span><span class="nx">Verdict</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">EvaluateEgress</span><span class="p">(</span><span class="nx">ctx</span> <span class="nx">context</span><span class="p">.</span><span class="nx">Context</span><span class="p">,</span> <span class="nx">p</span> <span class="o">*</span><span class="nx">network</span><span class="p">.</span><span class="nx">Packet</span><span class="p">,</span> <span class="nx">srcPod</span><span class="p">,</span> <span class="nx">dstPod</span> <span class="o">*</span><span class="nx">api</span><span class="p">.</span><span class="nx">PodInfo</span><span class="p">)</span> <span class="p">(</span><span class="nx">Verdict</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>The <code>Verdict</code> returned by each evaluator can be one of the following:</p> <ul> <li><code>VerdictAccept</code>: The packet is allowed, and no further evaluators in the pipeline are consulted.</li> <li><code>VerdictDeny</code>: The packet is denied, and no further evaluators are consulted.</li> <li><code>VerdictNext</code>: The packet does not match this policy (or is passed through), and the engine continues to the next evaluator in the pipeline.</li> </ul> <h2 id="the-pipeline-order">The Pipeline Order</h2> <p>When a packet is evaluated, it is processed sequentially by a pipeline of policy evaluators. The order is crucial, especially for Admin Network Policies:</p>