Support for endPort in multi-networkpolicy

[girishmg]

Now that K8s v1.21+ supports endPort in NetworkPolicyPort field, should we also add it to multi-networkpolicy CRD?

From here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#networkpolicyport-v1-networking-k8s-io

endPortinteger | If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort 
must be equal or greater than port. This feature is in Alpha state and should be enabled using the Feature Gate 
"NetworkPolicyEndPort".

@dougbtv @s1061123 any thoughts?

[s1061123]

Thank you for the info, @girishmg !

I suppose we should support it in the future but not immediately due to following reasons:

• multi-networkpolicy itself is not matured as we noted in Current Status of the Repository
  in README.md so we need to track Kubernetes update as soon as possible
• multi-networkpolicy's dataplane implementation (and only one consumer of multi-networkpolicy as far as I know of), multi-networkpolicy-iptables does not implemented it yet (please let me know if some implementation wants to have the field)

Hence I suppose we could introduce this field in next API revision 'v1beta2' of our scheme.

What do you think about it?

[girishmg]

@s1061123 we are adding support for multi-networkpolicy in the OVN Kubernetes CNI project. That implementation will need endPort support. Can we please introduce this field in the next API version v1beta2? Thank you.

[s1061123]

@girishmg sure. will do that and let you know when I'm done. BTW, does this mean ovn-k supports secondary networks? Currently multi-networkpolicy is only for secondary network interface. Just a double check.

[girishmg]

Thank you @s1061123 . Yes we are adding support to OVN-K8s for secondary networks. The WIP PR is here: ovn-kubernetes/ovn-kubernetes#2775