github.com/cilium/cilium@v1.16.2/Documentation/security/policy/kubernetes.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 Using Kubernetes Constructs In Policy 8 ===================================== 9 10 This section covers Kubernetes specific network policy aspects. 11 12 .. _k8s_namespaces: 13 14 Namespaces 15 ---------- 16 17 `Namespaces <https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/>`_ 18 are used to create virtual clusters within a Kubernetes cluster. All Kubernetes objects 19 including `NetworkPolicy` and `CiliumNetworkPolicy` belong to a particular 20 namespace. 21 22 Known Pitfalls 23 -------------- 24 25 This section covers known pitfalls when using Kubernetes constructs in policy. 26 27 Considerations Of Namespace Boundaries 28 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 29 30 Depending on how a policy is defined and created, Kubernetes namespaces are automatically taken into account. 31 32 Network policies imported directly with the :ref:`api_ref` apply to all 33 namespaces unless a namespace selector is specified as described in 34 :ref:`example_cnp_ns_boundaries`. 35 36 .. _example_cnp_ns_boundaries: 37 38 Example 39 ^^^^^^^ 40 41 This example demonstrates how to enforce Kubernetes namespace-based boundaries 42 for the namespaces ``ns1`` and ``ns2`` by enabling default-deny on all pods of 43 either namespace and then allowing communication from all pods within the same 44 namespace. 45 46 .. note:: The example locks down ingress of the pods in ``ns1`` and ``ns2``. 47 This means that the pods can still communicate egress to anywhere 48 unless the destination is in either ``ns1`` or ``ns2`` in which case 49 both source and destination have to be in the same namespace. In 50 order to enforce namespace boundaries at egress, the same example can 51 be used by specifying the rules at egress in addition to ingress. 52 53 .. only:: html 54 55 .. tabs:: 56 .. group-tab:: k8s YAML 57 58 .. literalinclude:: ../../../examples/policies/kubernetes/namespace/isolate-namespaces.yaml 59 .. group-tab:: JSON 60 61 .. literalinclude:: ../../../examples/policies/kubernetes/namespace/isolate-namespaces.json 62 63 .. only:: epub or latex 64 65 .. literalinclude:: ../../../examples/policies/kubernetes/namespace/isolate-namespaces.json 66 67 Policies Only Apply Within The Namespace 68 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 69 70 Network policies created and imported as `CiliumNetworkPolicy` CRD and 71 `NetworkPolicy` apply within the namespace. In other words, the policy **only** applies 72 to pods within that namespace. It's possible, however, to grant access to and 73 from pods in other namespaces as described in :ref:`example_cnp_across_ns`. 74 75 .. _example_cnp_across_ns: 76 77 Example 78 ^^^^^^^ 79 80 The following example exposes all pods with the label ``name=leia`` in the 81 namespace ``ns1`` to all pods with the label ``name=luke`` in the namespace 82 ``ns2``. 83 84 Refer to the :git-tree:`example YAML files <examples/policies/kubernetes/namespace/demo-pods.yaml>` 85 for a fully functional example including pods deployed to different namespaces. 86 87 .. only:: html 88 89 .. tabs:: 90 .. group-tab:: k8s YAML 91 92 .. literalinclude:: ../../../examples/policies/kubernetes/namespace/namespace-policy.yaml 93 .. group-tab:: JSON 94 95 .. literalinclude:: ../../../examples/policies/kubernetes/namespace/namespace-policy.json 96 97 .. only:: epub or latex 98 99 .. literalinclude:: ../../../examples/policies/kubernetes/namespace/namespace-policy.json 100 101 Specifying Namespace In EndpointSelector, FromEndpoints, ToEndpoints 102 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 103 104 Specifying the namespace by way of the label 105 ``k8s:io.kubernetes.pod.namespace`` in the ``fromEndpoints`` and 106 ``toEndpoints`` fields is supported as described in 107 :ref:`example_cnp_egress_to_kube_system`. 108 However, Kubernetes prohibits specifying the namespace in the ``endpointSelector``, 109 as it would violate the namespace isolation principle of Kubernetes. The 110 ``endpointSelector`` always applies to pods in the namespace 111 associated with the `CiliumNetworkPolicy` resource itself. 112 113 .. _example_cnp_egress_to_kube_system: 114 115 Example 116 ^^^^^^^ 117 118 The following example allows all pods in the ``public`` namespace in which the 119 policy is created to communicate with kube-dns on port 53/UDP in the ``kube-system`` 120 namespace. 121 122 .. only:: html 123 124 .. tabs:: 125 .. group-tab:: k8s YAML 126 127 .. literalinclude:: ../../../examples/policies/kubernetes/namespace/kubedns-policy.yaml 128 .. group-tab:: JSON 129 130 .. literalinclude:: ../../../examples/policies/kubernetes/namespace/kubedns-policy.json 131 132 .. only:: epub or latex 133 134 .. literalinclude:: ../../../examples/policies/kubernetes/namespace/kubedns-policy.json 135 136 137 Namespace Specific Information 138 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 139 140 Using namespace-specific information like 141 ``io.cilium.k8s.namespace.labels`` within a ``fromEndpoints`` or 142 ``toEndpoints`` is supported only for a :ref:`CiliumClusterwideNetworkPolicy` 143 and not a :ref:`CiliumNetworkPolicy`. Hence, ``io.cilium.k8s.namespace.labels`` 144 will be ignored in :ref:`CiliumNetworkPolicy` resources. 145 146 Match Expressions 147 ~~~~~~~~~~~~~~~~~ 148 149 When using ``matchExpressions`` in a :ref:`CiliumNetworkPolicy` or a 150 :ref:`CiliumClusterwideNetworkPolicy`, the list values are 151 treated as a logical AND. If you want to match multiple keys 152 with a logical OR, you must use multiple ``matchExpressions``. 153 154 .. _example_multiple_match_expressions: 155 156 Example 157 ^^^^^^^ 158 159 This example demonstrates how to enforce a policy with multiple ``matchExpressions`` 160 that achieves a logical OR between the keys and its values. 161 162 .. only:: html 163 164 .. tabs:: 165 .. group-tab:: k8s YAML 166 167 .. literalinclude:: ../../../examples/policies/l3/match-expressions/or-statement.yaml 168 169 .. group-tab:: JSON 170 171 .. literalinclude:: ../../../examples/policies/l3/match-expressions/or-statement.json 172 173 .. only:: epub or latex 174 175 .. literalinclude:: ../../../examples/policies/l3/match-expressions/or-statement.json 176 177 178 The following example shows a logical AND using a single ``matchExpression``. 179 180 .. only:: html 181 182 .. tabs:: 183 .. group-tab:: k8s YAML 184 185 .. literalinclude:: ../../../examples/policies/l3/match-expressions/and-statement.yaml 186 187 .. group-tab:: JSON 188 189 .. literalinclude:: ../../../examples/policies/l3/match-expressions/and-statement.json 190 191 ServiceAccounts 192 ~~~~~~~~~~~~~~~ 193 194 Kubernetes `Service Accounts 195 <https://kubernetes.io/docs/concepts/security/service-accounts/>`_ are used 196 to associate an identity to a pod or process managed by Kubernetes and grant 197 identities access to Kubernetes resources and secrets. Cilium supports the 198 specification of network security policies based on the service account 199 identity of a pod. 200 201 The service account of a pod is either defined via the `service account 202 admission controller 203 <https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount>`_ 204 or can be directly specified in the Pod, Deployment, ReplicationController 205 resource like this: 206 207 .. code-block:: yaml 208 209 apiVersion: v1 210 kind: Pod 211 metadata: 212 name: my-pod 213 spec: 214 serviceAccountName: leia 215 ... 216 217 Example 218 ^^^^^^^ 219 220 The following example grants any pod running under the service account of 221 "luke" to issue a ``HTTP GET /public`` request on TCP port 80 to all pods 222 running associated to the service account of "leia". 223 224 Refer to the :git-tree:`example YAML files <examples/policies/kubernetes/serviceaccount/demo-pods.yaml>` 225 for a fully functional example including deployment and service account 226 resources. 227 228 229 .. only:: html 230 231 .. tabs:: 232 .. group-tab:: k8s YAML 233 234 .. literalinclude:: ../../../examples/policies/kubernetes/serviceaccount/serviceaccount-policy.yaml 235 .. group-tab:: JSON 236 237 .. literalinclude:: ../../../examples/policies/kubernetes/serviceaccount/serviceaccount-policy.json 238 239 .. only:: epub or latex 240 241 .. literalinclude:: ../../../examples/policies/kubernetes/serviceaccount/serviceaccount-policy.json 242 243 Multi-Cluster 244 ~~~~~~~~~~~~~ 245 246 When operating multiple cluster with cluster mesh, the cluster name is exposed 247 via the label ``io.cilium.k8s.policy.cluster`` and can be used to restrict 248 policies to a particular cluster. 249 250 .. only:: html 251 252 .. tabs:: 253 .. group-tab:: k8s YAML 254 255 .. literalinclude:: ../../../examples/policies/kubernetes/clustermesh/cross-cluster-policy.yaml 256 257 .. only:: epub or latex 258 259 .. literalinclude:: ../../../examples/policies/kubernetes/clustermesh/cross-cluster-policy.yaml 260 261 Note the ``io.kubernetes.pod.namespace: default`` in the policy 262 rule. It makes sure the policy applies to ``rebel-base`` in the 263 ``default`` namespace of ``cluster2`` regardless of the namespace in 264 ``cluster1`` where ``x-wing`` is deployed in. If the namespace label 265 of policy rules is omitted it defaults to the same namespace where the 266 policy itself is applied in, which may be not what is wanted when 267 deploying cross-cluster policies. 268 269 Clusterwide Policies 270 ~~~~~~~~~~~~~~~~~~~~ 271 272 `CiliumNetworkPolicy` only allows to bind a policy restricted to a particular namespace. There can be situations 273 where one wants to have a cluster-scoped effect of the policy, which can be done using Cilium's 274 `CiliumClusterwideNetworkPolicy` Kubernetes custom resource. The specification of the policy is same as that 275 of `CiliumNetworkPolicy` except that it is not namespaced. 276 277 In the cluster, this policy will allow ingress traffic from pods matching the label ``name=luke`` from any 278 namespace to pods matching the labels ``name=leia`` in any namespace. 279 280 .. only:: html 281 282 .. tabs:: 283 .. group-tab:: k8s YAML 284 285 .. literalinclude:: ../../../examples/policies/kubernetes/clusterwide/clusterscope-policy.yaml 286 287 .. only:: epub or latex 288 289 .. literalinclude:: ../../../examples/policies/kubernetes/clusterwide/clusterscope-policy.yaml 290 291 Allow All Cilium Managed Endpoints To Communicate With Kube-dns 292 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 293 294 The following example allows all Cilium managed endpoints in the cluster to communicate 295 with kube-dns on port 53/UDP in the ``kube-system`` namespace. 296 297 .. only:: html 298 299 .. tabs:: 300 .. group-tab:: k8s YAML 301 302 .. literalinclude:: ../../../examples/policies/kubernetes/clusterwide/wildcard-from-endpoints.yaml 303 304 .. only:: epub or latex 305 306 .. literalinclude:: ../../../examples/policies/kubernetes/clusterwide/wildcard-from-endpoints.yaml 307 308 .. _health_endpoint: 309 310 Example: Add Health Endpoint 311 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 312 313 The following example adds the health entity to all Cilium managed endpoints in order to check 314 cluster connectivity health. 315 316 .. only:: html 317 318 .. tabs:: 319 .. group-tab:: k8s YAML 320 321 .. literalinclude:: ../../../examples/policies/kubernetes/clusterwide/health.yaml 322 323 .. only:: epub or latex 324 325 .. literalinclude:: ../../../examples/policies/kubernetes/clusterwide/health.yaml