LFX mentorship: add Antrea project idea (#1278)

Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
cncf · Jul 25, 2024 · f2340ed · f2340ed
1 parent 0280cd1
commit f2340ed
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/programs/lfx-mentorship/2024/03-Sep-Nov/project_ideas.md b/programs/lfx-mentorship/2024/03-Sep-Nov/project_ideas.md
@@ -295,3 +295,16 @@ Expected Outcome: Gadget developers have a way to run unit tests in different ke
   - Mariam Fahmy (@MariamFahmy98, mariam@nirmata.com)
   - Shuting Zhao (@realshuting, shuting@nirmata.com)
 - Upstream Issue: https://github.com/kyverno/kyverno/issues/9478
+
+### Antrea
+
+#### Support application-level DNS caches when using FQDN-based security rules
+
+- Description: Antrea provides [Network Policy APIs](https://github.com/antrea-io/antrea/blob/main/docs/antrea-network-policy.md) (in the form of K8s CRDs) for K8s cluster administrators and application developers to declare security rules in order to protect workloads. These APIs complement the [Network Policies supported natively in K8s](https://kubernetes.io/docs/concepts/services-networking/network-policies/). When using the Antrea-specific Network Policy APIs, it is possible to use Fully Qualified Domain Names (FQDNs) in order to select the list of external domains with which a K8s application is allowed to communicate, or forbidden from communicating. The current implementation of this feature is not compatible with applications which directly cache the result of DNS queries. We have found that this type of caching is frequent for Java applications, which greatly impacts the usability of FQDN-based security rules. We believe that by defining a new configuration parameter for the Antrea implementation, we can bypass the issue and ensure that the feature can be used even with such applications, providing of course that the parameter is set correctly by users.
+- Expected Outcome: Definition and implementation of a new configuration parameter (`minTLS`) for the Antrea Agent, which will ensure that FQDN-based security rules can be used even with application that cache DNS results. The implementation should come with a sufficient amount of tests (both unit tests and e2e tests), ensuring that the feature is working as expected.
+- Recommended Skills: familiarity with Golang, some knowledge about the K8s architecture and APIs, basic knowledge about networking in particular of the DNS protocol.
+- Mentor(s):
+  - Quan Tian (@tnqn, tianquan23@gmail.com)
+  - Yang Ding (@Dyanngg, dingyany1995@outlook.com)
+  - Antonin Bas (@antoninbas, antonin.bas@gmail.com)
+- Upstream Issue: https://github.com/antrea-io/antrea/issues/6229