github.com/kubearmor/cilium@v1.6.12/Documentation/kubernetes/policy.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 http://docs.cilium.io 6 7 .. _k8s_policy: 8 9 ************** 10 Network Policy 11 ************** 12 13 If you are running Cilium on Kubernetes, you can benefit from Kubernetes 14 distributing policies for you. In this mode, Kubernetes is responsible for 15 distributing the policies across all nodes and Cilium will automatically apply 16 the policies. Two formats are available to configure network policies natively 17 with Kubernetes: 18 19 - The standard `NetworkPolicy` resource which at the time of this writing, 20 supports to specify L3/L4 ingress policies with limited egress support marked 21 as beta. 22 23 - The extended `CiliumNetworkPolicy` format which is available as a 24 `CustomResourceDefinition` which supports specification of policies 25 at Layers 3-7 for both ingress and egress. 26 27 It is recommended to only use one of the above policy types at a time to 28 minimize unintended effects arising from the interaction between the 29 policies. 30 31 .. _NetworkPolicy: 32 .. _networkpolicy_state: 33 34 NetworkPolicy 35 ============= 36 37 38 For more information, see the official `NetworkPolicy documentation 39 <https://kubernetes.io/docs/concepts/services-networking/network-policies/>`_. 40 41 Known missing features for Kubernetes Network Policy: 42 43 +-------------------------------+----------------------------------------------+ 44 | Feature | Tracking Issue | 45 +===============================+==============================================+ 46 | Use of named ports | https://github.com/cilium/cilium/issues/2942 | 47 +-------------------------------+----------------------------------------------+ 48 | Ingress CIDR-based L4 policy | https://github.com/cilium/cilium/issues/1684 | 49 +-------------------------------+----------------------------------------------+ 50 | ``ipBlock`` set with a pod IP | https://github.com/cilium/cilium/issues/9209 | 51 +-------------------------------+----------------------------------------------+ 52 | SCTP | https://github.com/cilium/cilium/issues/5719 | 53 +-------------------------------+----------------------------------------------+ 54 55 .. _CiliumNetworkPolicy: 56 57 CiliumNetworkPolicy 58 =================== 59 60 The `CiliumNetworkPolicy` is very similar to the standard `NetworkPolicy`. The 61 purpose is provide the functionality which is not yet supported in 62 `NetworkPolicy`. Ideally all of the functionality will be merged into the 63 standard resource format and this CRD will no longer be required. 64 65 The raw specification of the resource in Go looks like this: 66 67 .. code-block:: go 68 69 type CiliumNetworkPolicy struct { 70 metav1.TypeMeta `json:",inline"` 71 // +optional 72 Metadata metav1.ObjectMeta `json:"metadata"` 73 74 // Spec is the desired Cilium specific rule specification. 75 Spec *api.Rule `json:"spec,omitempty"` 76 77 // Specs is a list of desired Cilium specific rule specification. 78 Specs api.Rules `json:"specs,omitempty"` 79 80 // Status is the status of the Cilium policy rule 81 // +optional 82 Status CiliumNetworkPolicyStatus `json:"status"` 83 } 84 85 Metadata 86 Describes the policy. This includes: 87 88 * Name of the policy, unique within a namespace 89 * Namespace of where the policy has been injected into 90 * Set of labels to identify resource in Kubernetes 91 92 Spec 93 Field which contains a :ref:`policy_rule` 94 Specs 95 Field which contains a list of :ref:`policy_rule`. This field is useful if 96 multiple rules must be removed or added automatically. 97 98 Status 99 Provides visibility into whether the policy has been successfully applied 100 101 Examples 102 ======== 103 104 See :ref:`policy_examples` for a detailed list of example policies. 105