github.phpd.cn/cilium/cilium@v1.6.12/Documentation/policy/intro.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      http://docs.cilium.io
     6  
     7  .. _policy_guide:
     8  
     9  .. _policy_enforcement_modes:
    10  
    11  Policy Enforcement Modes
    12  ========================
    13  
    14  The configuration of the Cilium agent and the Cilium Network Policy determines whether an endpoint accepts traffic from a source or not. The agent can be put into the following three policy enforcement modes:
    15  
    16  default
    17    This is the default behavior for policy enforcement when Cilium is launched without
    18    any specified value for the policy enforcement configuration. The following rules
    19    apply:
    20  
    21    * If any rule selects an :ref:`endpoint` and the rule has an ingress
    22      section, the endpoint goes into default deny at ingress.
    23    * If any rule selects an :ref:`endpoint` and the rule has an egress section, the
    24      endpoint goes into default deny at egress.
    25  
    26    This means that endpoints will start without any restrictions and as soon as
    27    a rule restricts their ability to receive traffic on ingress or to transmit
    28    traffic on egress, then the endpoint goes into whitelisting mode and all
    29    traffic must be explicitly allowed.
    30  
    31  always
    32    With always mode, policy enforcement is enabled on all endpoints even if no
    33    rules select specific endpoints.
    34  
    35  never
    36    With never mode, policy enforcement is disabled on all endpoints, even if
    37    rules do select specific endpoints. In other words, all traffic is allowed
    38    from any source (on ingress) or destination (on egress).
    39  
    40  To configure the policy enforcement mode at runtime for all endpoints managed by a Cilium agent, use:
    41  
    42  .. code:: bash
    43  
    44      $ cilium config PolicyEnforcement={default,always,never}
    45  
    46  If you want to configure the policy enforcement mode at start-time for a particular agent, provide the following flag when launching the Cilium
    47  daemon:
    48  
    49  .. code:: bash
    50  
    51      $ cilium-agent --enable-policy={default,always,never} [...]
    52  
    53  Similarly, you can enable the policy enforcement mode across a Kubernetes cluster by including the parameter above in the Cilium DaemonSet.
    54  
    55  .. code:: yaml
    56  
    57      - name: CILIUM_ENABLE_POLICY
    58        value: always
    59  
    60  
    61  .. _policy_rule:
    62  
    63  Rule Basics
    64  ===========
    65  
    66  All policy rules are based upon a whitelist model, that is, each rule in the
    67  policy allows traffic that matches the rule. If two rules exist, and one
    68  would match a broader set of traffic, then all traffic matching the broader
    69  rule will be allowed. If there is an intersection between two or more rules,
    70  then traffic matching the union of those rules will be allowed. Finally, if
    71  traffic does not match any of the rules, it will be dropped pursuant to the
    72  `policy_enforcement_modes`.
    73  
    74  Policy rules share a common base type which specifies which endpoints the
    75  rule applies to and common metadata to identify the rule. Each rule is split
    76  into an ingress section and an egress section. The ingress section contains
    77  the rules which must be applied to traffic entering the endpoint, and the
    78  egress section contains rules applied to traffic coming from the endpoint
    79  matching the endpoint selector. Either ingress, egress, or both can be
    80  provided. If both ingress and egress are omitted, the rule has no effect.
    81  
    82  .. code-block:: go
    83  
    84          type Rule struct {
    85                  // EndpointSelector selects all endpoints which should be subject to
    86                  // this rule. Cannot be empty.
    87                  EndpointSelector EndpointSelector `json:"endpointSelector"`
    88  
    89                  // Ingress is a list of IngressRule which are enforced at ingress.
    90                  // If omitted or empty, this rule does not apply at ingress.
    91                  //
    92                  // +optional
    93                  Ingress []IngressRule `json:"ingress,omitempty"`
    94  
    95                  // Egress is a list of EgressRule which are enforced at egress.
    96                  // If omitted or empty, this rule does not apply at egress.
    97                  //
    98                  // +optional
    99                  Egress []EgressRule `json:"egress,omitempty"`
   100  
   101                  // Labels is a list of optional strings which can be used to
   102                  // re-identify the rule or to store metadata. It is possible to lookup
   103                  // or delete strings based on labels. Labels are not required to be
   104                  // unique, multiple rules can have overlapping or identical labels.
   105                  //
   106                  // +optional
   107                  Labels labels.LabelArray `json:"labels,omitempty"`
   108  
   109                  // Description is a free form string, it can be used by the creator of
   110                  // the rule to store human readable explanation of the purpose of this
   111                  // rule. Rules cannot be identified by comment.
   112                  //
   113                  // +optional
   114                  Description string `json:"description,omitempty"`
   115          }
   116  
   117  ----
   118  
   119  endpointSelector
   120    Selects the endpoints which the policy rules apply to. The policy rules
   121    will be applied to all endpoints which match the labels specified in the
   122    `endpointSelector`. See the `LabelSelector` section for additional details.
   123  
   124  ingress
   125    List of rules which must apply at ingress of the endpoint, i.e. to all
   126    network packets which are entering the endpoint.
   127  
   128  egress
   129    List of rules which must apply at egress of the endpoint, i.e. to all network
   130    packets which are leaving the endpoint.
   131  
   132  labels
   133    Labels are used to identify the rule. Rules can be listed and deleted by
   134    labels. Policy rules which are imported via :ref:`kubernetes<k8s_policy>`
   135    automatically get the label ``io.cilium.k8s.policy.name=NAME`` assigned where
   136    ``NAME`` corresponds to the name specified in the `NetworkPolicy` or
   137    `CiliumNetworkPolicy` resource.
   138  
   139  description
   140    Description is a string which is not interpreted by Cilium. It can be used to
   141    describe the intent and scope of the rule in a human readable form.
   142  
   143  .. _label_selector:
   144  .. _LabelSelector:
   145  .. _EndpointSelector:
   146  
   147  Endpoint Selector
   148  -----------------
   149  
   150  The Endpoint Selector is based on the `Kubernetes LabelSelector
   151  <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors>`_.
   152  It is called Endpoint Selector because it only applies to labels associated
   153  with `endpoints`.