generated from kubernetes/kubernetes-template-project
-
Notifications
You must be signed in to change notification settings - Fork 34
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: walkthrough use cases and example
Signed-off-by: Hunter Gregory <[email protected]>
- Loading branch information
1 parent
cc23bf1
commit 69b62f2
Showing
9 changed files
with
294 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| ## Use Cases | ||
|
|
||
| 1. Test a new policy before applying it to your cluster. | ||
| 2. Understand which policies are affecting traffic in your cluster. | ||
|
|
||
| ## Overview | ||
|
|
||
| ```bash | ||
| # single source/destination read from cluster. policies read from YAML files | ||
| policy-assistant analyze --mode walkthrough \ | ||
| --policy-path policies/ \ | ||
| --src-workload demo/deployment/a \ | ||
| --dst-workload demo/pod/b \ | ||
| --port 81 \ | ||
| --protocol TCP | ||
|
|
||
| # multiple traffic tuples (not necessarily read from cluster). policies read from cluster | ||
| policy-assistant analyze --mode walkthrough \ | ||
| --namespace demo \ | ||
| --traffic-path traffic.json | ||
| ``` | ||
|
|
||
| Example output: | ||
|
|
||
| ```bash | ||
| +-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+ | ||
| | TRAFFIC | VERDICT | INGRESS WALKTHROUGH | EGRESS WALKTHROUGH | | ||
| +-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+ | ||
| | demo/deployment/a -> demo/pod/b:80 (TCP) | Allowed | [ANP] Allow (allow-80) | no policies targeting egress | | ||
| +-------------------------------------------------+---------+-----------------------------------------------------------------------------+ + | ||
| | demo/deployment/a -> demo/pod/b:81 (TCP) | Denied | [ANP] No-Op -> [BANP] Deny (baseline-deny) | | | ||
| +-------------------------------------------------+ +-----------------------------------------------------------------------------+ + | ||
| | demo2/[app=nginx] -> demo/deployment/a:81 (TCP) | | [ANP] Pass (development-ns) -> [NPv1] Dropped (demo/deny-anything-to-pod-a) | | | ||
| +-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+ | ||
| ``` | ||
|
|
||
| ## Demo | ||
|
|
||
| To try for yourself: | ||
|
|
||
| 1. Download `policy-assistant` via the [Quick Install](../../../README.md#quick-install) guide. | ||
| 1. Leverage the JSON/YAML files in this folder. | ||
| 1. Not required: create a Kubernetes cluster and apply any desired YAML files. | ||
|
|
||
| ## Usage | ||
|
|
||
| ### Specifying Policies | ||
|
|
||
| #### Option 1: reference policies from YAML files | ||
|
|
||
| Use this argument: `--policy-path <file/folder>` | ||
|
|
||
| #### Option 2: reference policies from cluster | ||
|
|
||
| Specify the `--namespace` or `--all-namespaces`. | ||
|
|
||
| ### Specifying Pods | ||
|
|
||
| #### Option 1: specify single source/destination in CLI args | ||
|
|
||
| You can use the following arguments to reference Pods from cluster by workload name: | ||
|
|
||
| ```bash | ||
| policy-assistant analyze --mode walkthrough \ | ||
| --src-workload demo/deployment/a \ | ||
| --dst-workload demo/pod/b \ | ||
| --port 81 \ | ||
| --protocol TCP | ||
| ``` | ||
|
|
||
| #### Option 2: specify multiple source/destination pairs in JSON | ||
|
|
||
| You can also reference Pods via JSON. | ||
| You can also specify Pods which are not running in a cluster in this JSON. | ||
|
|
||
| See the example *traffic.json* file. | ||
|
|
||
| ```bash | ||
| policy-assistant analyze --mode walkthrough \ | ||
| --traffic-path traffic.json | ||
| ``` |
46 changes: 46 additions & 0 deletions
46
cmd/policy-assistant/examples/demos/walkthrough/demo-deployment-a.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| namespace: demo | ||
| labels: | ||
| pod: a | ||
| name: a | ||
| spec: | ||
| replicas: 1 | ||
| selector: | ||
| matchLabels: | ||
| pod: a | ||
| template: | ||
| metadata: | ||
| labels: | ||
| pod: a | ||
| spec: | ||
| containers: | ||
| - command: | ||
| - /agnhost | ||
| - serve-hostname | ||
| - --tcp | ||
| - --http=false | ||
| - --port | ||
| - "80" | ||
| image: registry.k8s.io/e2e-test-images/agnhost:2.43 | ||
| imagePullPolicy: IfNotPresent | ||
| name: cont-80-tcp | ||
| ports: | ||
| - containerPort: 80 | ||
| name: serve-80-tcp | ||
| protocol: TCP | ||
| - command: | ||
| - /agnhost | ||
| - serve-hostname | ||
| - --tcp | ||
| - --http=false | ||
| - --port | ||
| - "81" | ||
| image: registry.k8s.io/e2e-test-images/agnhost:2.43 | ||
| imagePullPolicy: IfNotPresent | ||
| name: cont-81-tcp | ||
| ports: | ||
| - containerPort: 81 | ||
| name: serve-81-tcp | ||
| protocol: TCP |
37 changes: 37 additions & 0 deletions
37
cmd/policy-assistant/examples/demos/walkthrough/demo-pod-b.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| namespace: demo | ||
| labels: | ||
| pod: b | ||
| name: b | ||
| spec: | ||
| containers: | ||
| - command: | ||
| - /agnhost | ||
| - serve-hostname | ||
| - --tcp | ||
| - --http=false | ||
| - --port | ||
| - "80" | ||
| image: registry.k8s.io/e2e-test-images/agnhost:2.43 | ||
| imagePullPolicy: IfNotPresent | ||
| name: cont-80-tcp | ||
| ports: | ||
| - containerPort: 80 | ||
| name: serve-80-tcp | ||
| protocol: TCP | ||
| - command: | ||
| - /agnhost | ||
| - serve-hostname | ||
| - --tcp | ||
| - --http=false | ||
| - --port | ||
| - "81" | ||
| image: registry.k8s.io/e2e-test-images/agnhost:2.43 | ||
| imagePullPolicy: IfNotPresent | ||
| name: cont-81-tcp | ||
| ports: | ||
| - containerPort: 81 | ||
| name: serve-81-tcp | ||
| protocol: TCP |
18 changes: 18 additions & 0 deletions
18
cmd/policy-assistant/examples/demos/walkthrough/policies/anp1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| apiVersion: policy.networking.k8s.io/v1alpha1 | ||
| kind: AdminNetworkPolicy | ||
| metadata: | ||
| name: anp1 | ||
| spec: | ||
| priority: 1 | ||
| subject: | ||
| namespaces: {} | ||
| ingress: | ||
| - name: "allow-80" | ||
| action: "Allow" | ||
| from: | ||
| - namespaces: | ||
| namespaceSelector: {} | ||
| ports: | ||
| - portNumber: | ||
| protocol: TCP | ||
| port: 80 |
16 changes: 16 additions & 0 deletions
16
cmd/policy-assistant/examples/demos/walkthrough/policies/anp2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| apiVersion: policy.networking.k8s.io/v1alpha1 | ||
| kind: AdminNetworkPolicy | ||
| metadata: | ||
| name: anp2 | ||
| spec: | ||
| priority: 2 | ||
| subject: | ||
| namespaces: {} | ||
| ingress: | ||
| - name: "development-ns" | ||
| action: "Pass" | ||
| from: | ||
| - namespaces: | ||
| namespaceSelector: | ||
| matchLabels: | ||
| development: "true" |
13 changes: 13 additions & 0 deletions
13
cmd/policy-assistant/examples/demos/walkthrough/policies/banp.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| apiVersion: policy.networking.k8s.io/v1alpha1 | ||
| kind: BaselineAdminNetworkPolicy | ||
| metadata: | ||
| name: default | ||
| spec: | ||
| subject: | ||
| namespaces: {} | ||
| ingress: | ||
| - name: "baseline-deny" | ||
| action: "Deny" | ||
| from: | ||
| - namespaces: | ||
| namespaceSelector: {} |
12 changes: 12 additions & 0 deletions
12
cmd/policy-assistant/examples/demos/walkthrough/policies/npv1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| kind: NetworkPolicy | ||
| apiVersion: networking.k8s.io/v1 | ||
| metadata: | ||
| namespace: demo | ||
| name: deny-anything-to-pod-a | ||
| spec: | ||
| policyTypes: | ||
| - Ingress | ||
| podSelector: | ||
| matchLabels: | ||
| pod: a | ||
| ingress: [] |
49 changes: 49 additions & 0 deletions
49
cmd/policy-assistant/examples/demos/walkthrough/traffic.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| [ | ||
| { | ||
| "Source": { | ||
| "Internal": { | ||
| "Workload": "demo/deployment/a" | ||
| } | ||
| }, | ||
| "Destination": { | ||
| "Internal": { | ||
| "Workload": "demo/pod/b" | ||
| } | ||
| }, | ||
| "Protocol": "TCP", | ||
| "ResolvedPort": 80, | ||
| "ResolvedPortName": "serve-80-tcp" | ||
| }, | ||
| { | ||
| "Source": { | ||
| "Internal": { | ||
| "Workload": "demo/deployment/a" | ||
| } | ||
| }, | ||
| "Destination": { | ||
| "Internal": { | ||
| "Workload": "demo/pod/b" | ||
| } | ||
| }, | ||
| "Protocol": "TCP", | ||
| "ResolvedPort": 81, | ||
| "ResolvedPortName": "serve-81-tcp" | ||
| }, | ||
| { | ||
| "Source": { | ||
| "Internal": { | ||
| "PodLabels": {"app": "nginx"}, | ||
| "NamespaceLabels": {"development": "true"}, | ||
| "Namespace": "demo2" | ||
| } | ||
| }, | ||
| "Destination": { | ||
| "Internal": { | ||
| "Workload": "demo/deployment/a" | ||
| } | ||
| }, | ||
| "Protocol": "TCP", | ||
| "ResolvedPort": 81, | ||
| "ResolvedPortName": "serve-81-tcp" | ||
| } | ||
| ] |