old-vK8s-Network-Policy
On This Page:
Objective
This document provides instructions on how to configure and apply a network policy for traffic to/from virtual K8s (vK8s) Pods using policy rules and policy sets. To know more about the network policy, see Volterra Network Policy.
Using the instructions provided in this document, you can create network policies with policy rules controlling the traffic to secure the applications in your namespace.
Prerequisites
Note: If you do not have an account, see Create a Volterra Account.
- One or more cloud or edge locations with Volterra Site
Note: Install the Volterra node or cluster image in your site.
Configuration
The following image shows configuration workflow for policy rule, policy, and policy set:
Configuration Sequence
Configuring network policy requires you to perform the following sequence of actions:
Phase | Description |
---|---|
Create Network Policy Rule | Create a policy rule to use in the policy. |
Create Network Policy | Create a policy with the policy rule. |
Create Network Policy Set | Create a policy set with the policy created. |
Create Network Policy Rule
Step 1: Select or create the desired namespace. Select Security
from configuration menu and vK8s Network Policy
from options pane.
Note: You can create a network policy in the shared or application namespace.
Step 2: Select Network Policy Rules
and Click Add network policy rule
.
Enter the policy rule configuration parameters as per the following guidelines:
-
Name: Name of the network policy rule.
-
Remote endpoint: The remote endpoint can be of the following types:
- Can be a prefix as defined in the local endpoint
- Can be a prefix selector as defined in the local endpoint
- Can be a prefix set (a set of prefixes, i.e. white list or blacklist)
-
Action: The supported actions are 'allow’ and ‘deny’.
-
Protocol: Protocols such as TCP, UDP, etc.
Create Network Policy
Step 1: Select Network Policies
under vK8s Network Policy
and click Add network policy
.
Enter the policy configuration parameters as per the following guidelines:
-
Name: Name of the network policy
-
Local endpoint: The local endpoint of the network policy can be one of the following types:
- Prefix: Prefix is ip prefix written in from
<ip address>/<prefix length>
. Example prefix is 10.1.2.3/32 or 10.1.2.0/24 - Prefix_selector: Prefix selector is a label expression. If the labels of an IP address match the label expression, that IP is considered as a local endpoint.
- Prefix: Prefix is ip prefix written in from
-
Ingress rules: Relative to the local endpoint, these rules apply to all sessions and traffic received by the local endpoint(s) from remote endpoint(s).
Note: If no rule is configured for ingress, the default action is to drop the ingress traffic.
- Egress rules: Relative to the local endpoint, these rules apply to all the sessions and traffic sent by local endpoint to remote endpoint(s).
Create Network Policy Set
Step 1: Select Network Policy set
under vK8s Network Policy
and click Add network policy set
.
Enter the policy set configuration parameters as per the following guidelines:
-
Name: Name of the network policy set
-
Policies: Select network policy created above
Example: Allow Only Authorized DNS Servers
This example creates a network policy to block all outbound DNS queries in namespace "hello-webapp" except for the selected authoritative servers.
Step 1: Create the following two network policy rules:
- Policy rule ‘allow-google-dns’ allowing all DNS queries UDP/53 to 8.8.8.8/32
- Policy rule ‘block-all-dns’ denying all DNS queries UDP/53 to 0.0.0.0/0.
Step 2: Create network policy and add policy rules created in Step 1 to ensure explicit deny first followed by allowing all traffic.
Step 3: Create a network policy set by selecting the policy created in Step 2.