github.com/fafucoder/cilium@v1.6.11/Documentation/kubernetes/policy.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 http://docs.cilium.io 6 7 .. _k8s_policy: 8 9 ************** 10 Network Policy 11 ************** 12 13 If you are running Cilium on Kubernetes, you can benefit from Kubernetes 14 distributing policies for you. In this mode, Kubernetes is responsible for 15 distributing the policies across all nodes and Cilium will automatically apply 16 the policies. Two formats are available to configure network policies natively 17 with Kubernetes: 18 19 - The standard `NetworkPolicy` resource which at the time of this writing, 20 supports to specify L3/L4 ingress policies with limited egress support marked 21 as beta. 22 23 - The extended `CiliumNetworkPolicy` format which is available as a 24 `CustomResourceDefinition` which supports specification of policies 25 at Layers 3-7 for both ingress and egress. 26 27 It is recommended to only use one of the above policy types at a time to 28 minimize unintended effects arising from the interaction between the 29 policies. 30 31 .. _NetworkPolicy: 32 .. _networkpolicy_state: 33 34 NetworkPolicy 35 ============= 36 37 38 For more information, see the official `NetworkPolicy documentation 39 <https://kubernetes.io/docs/concepts/services-networking/network-policies/>`_. 40 41 Known missing features for Kubernetes Network Policy: 42 43 +------------------------------+----------------------------------------------+ 44 | Feature | Tracking Issue | 45 +==============================+==============================================+ 46 | Use of named ports | https://github.com/cilium/cilium/issues/2942 | 47 +------------------------------+----------------------------------------------+ 48 | Ingress CIDR-based L4 policy | https://github.com/cilium/cilium/issues/1684 | 49 +------------------------------+----------------------------------------------+ 50 51 .. _CiliumNetworkPolicy: 52 53 CiliumNetworkPolicy 54 =================== 55 56 The `CiliumNetworkPolicy` is very similar to the standard `NetworkPolicy`. The 57 purpose is provide the functionality which is not yet supported in 58 `NetworkPolicy`. Ideally all of the functionality will be merged into the 59 standard resource format and this CRD will no longer be required. 60 61 The raw specification of the resource in Go looks like this: 62 63 .. code-block:: go 64 65 type CiliumNetworkPolicy struct { 66 metav1.TypeMeta `json:",inline"` 67 // +optional 68 Metadata metav1.ObjectMeta `json:"metadata"` 69 70 // Spec is the desired Cilium specific rule specification. 71 Spec *api.Rule `json:"spec,omitempty"` 72 73 // Specs is a list of desired Cilium specific rule specification. 74 Specs api.Rules `json:"specs,omitempty"` 75 76 // Status is the status of the Cilium policy rule 77 // +optional 78 Status CiliumNetworkPolicyStatus `json:"status"` 79 } 80 81 Metadata 82 Describes the policy. This includes: 83 84 * Name of the policy, unique within a namespace 85 * Namespace of where the policy has been injected into 86 * Set of labels to identify resource in Kubernetes 87 88 Spec 89 Field which contains a :ref:`policy_rule` 90 Specs 91 Field which contains a list of :ref:`policy_rule`. This field is useful if 92 multiple rules must be removed or added automatically. 93 94 Status 95 Provides visibility into whether the policy has been successfully applied 96 97 Examples 98 ======== 99 100 See :ref:`policy_examples` for a detailed list of example policies. 101