github.com/cilium/cilium@v1.16.2/Documentation/security/network/policyenforcement.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      https://docs.cilium.io
     6  
     7  ******************
     8  Policy Enforcement
     9  ******************
    10  
    11  All security policies are described assuming stateful policy enforcement for
    12  session based protocols. This means that the intent of the policy is to
    13  describe allowed direction of connection establishment. If the policy allows
    14  ``A => B`` then reply packets from ``B`` to ``A`` are automatically allowed as
    15  well.  However, ``B`` is not automatically allowed to initiate connections to
    16  ``A``. If that outcome is desired, then both directions must be explicitly
    17  allowed.
    18  
    19  Security policies may be enforced at *ingress* or *egress*. For *ingress*,
    20  this means that each cluster node verifies all incoming packets and determines
    21  whether the packet is allowed to be transmitted to the intended endpoint.
    22  Correspondingly, for *egress* each cluster node verifies outgoing packets and
    23  determines whether the packet is allowed to be transmitted to its intended
    24  destination.
    25  
    26  In order to enforce identity based security in a multi host cluster, the
    27  identity of the transmitting endpoint is embedded into every network packet
    28  that is transmitted in between cluster nodes. The receiving cluster node can
    29  then extract the identity and verify whether a particular identity is allowed
    30  to communicate with any of the local endpoints.
    31  
    32  Default Security Policy
    33  =======================
    34  
    35  If no policy is loaded, the default behavior is to allow all communication
    36  unless policy enforcement has been explicitly enabled. As soon as the first
    37  policy rule is loaded, policy enforcement is enabled automatically and any
    38  communication must then be white listed or the relevant packets will be
    39  dropped.
    40  
    41  Similarly, if an endpoint is not subject to an *L4* policy, communication from
    42  and to all ports is permitted. Associating at least one *L4* policy to an
    43  endpoint will block all connectivity to ports unless explicitly allowed.