github.com/cilium/cilium@v1.16.2/Documentation/network/servicemesh/external-ingress-policy.rst

github.com/cilium/cilium@v1.16.2/Documentation/network/servicemesh/external-ingress-policy.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      https://docs.cilium.io
     6  
     7  *************************
     8  External Lock-down Policy
     9  *************************
    10  
    11  By default, all the external traffic is allowed. Let's apply a `CiliumNetworkPolicy` to lock down external traffic.
    12  
    13  .. literalinclude:: ../../../examples/kubernetes/servicemesh/policy/external-lockdown.yaml
    14  
    15  .. parsed-literal::
    16  
    17      $ kubectl apply -f \ |SCM_WEB|\/examples/kubernetes/servicemesh/policy/external-lockdown.yaml
    18  
    19  With this policy applied, any request originating from outside the cluster will be rejected with a ``403 Forbidden``
    20  
    21  .. code-block:: shell-session
    22  
    23      $ curl --fail -v http://"$HTTP_INGRESS"/details/1
    24      *   Trying 172.18.255.194:80...
    25      * Connected to 172.18.255.194 (172.18.255.194) port 80
    26      > GET /details/1 HTTP/1.1
    27      > Host: 172.18.255.194
    28      > User-Agent: curl/8.6.0
    29      > Accept: */*
    30      >
    31      < HTTP/1.1 403 Forbidden
    32      < content-length: 15
    33      < content-type: text/plain
    34      < date: Thu, 29 Feb 2024 12:59:54 GMT
    35      < server: envoy
    36      * The requested URL returned error: 403
    37      * Closing connection
    38      curl: (22) The requested URL returned error: 403
    39  
    40      # Capture hubble flows in another terminal
    41      $ kubectl --namespace=kube-system exec -i -t cilium-xjl4x -- hubble observe -f --identity ingress
    42      Defaulted container "cilium-agent" out of: cilium-agent, config (init), mount-cgroup (init), apply-sysctl-overwrites (init), mount-bpf-fs (init), wait-for-node-init (init), clean-cilium-state (init), install-cni-binaries (init)
    43      Feb 29 13:00:29.389: 172.18.0.1:53866 (ingress) -> kube-system/cilium-ingress:80 (world) http-request DROPPED (HTTP/1.1 GET http://172.18.255.194/details/1)
    44      Feb 29 13:00:29.389: 172.18.0.1:53866 (ingress) <- kube-system/cilium-ingress:80 (world) http-response FORWARDED (HTTP/1.1 403 0ms (GET http://172.18.255.194/details/1))
    45  
    46  Let's check if in-cluster traffic to the Ingress endpoint is still allowed:
    47  
    48  .. parsed-literal::
    49  
    50      # The test-application.yaml contains a client pod with curl available
    51      $ kubectl apply -f \ |SCM_WEB|\/examples/kubernetes/servicemesh/envoy/test-application.yaml
    52      $ kubectl exec -it deployment/client -- curl -s http://$HTTP_INGRESS/details/1
    53      {"id":1,"author":"William Shakespeare","year":1595,"type":"paperback","pages":200,"publisher":"PublisherA","language":"English","ISBN-10":"1234567890","ISBN-13":"123-1234567890"}%
    54  
    55  Another common use case is to allow only a specific set of IP addresses to access the Ingress. This can be achieved via
    56  the below policy
    57  
    58  .. literalinclude:: ../../../examples/kubernetes/servicemesh/policy/allow-ingress-cidr.yaml
    59  
    60  .. parsed-literal::
    61  
    62      $ kubectl apply -f \ |SCM_WEB|\/examples/kubernetes/servicemesh/policy/allow-ingress-cidr.yaml
    63  
    64  .. code-block:: shell-session
    65  
    66      $ curl -s --fail http://"$HTTP_INGRESS"/details/1
    67      {"id":1,"author":"William Shakespeare","year":1595,"type":"paperback","pages":200,"publisher":"PublisherA","language":"English","ISBN-10":"1234567890","ISBN-13":"123-1234567890"}