-
Notifications
You must be signed in to change notification settings - Fork 77
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add network policy document * style: Format code with prettier and gofumpt * replace tab with space * style: Format code with prettier and gofumpt --------- Co-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com> Co-authored-by: Yusuke Kato <[email protected]>
- Loading branch information
1 parent
5a9c8ef
commit 3d39dc5
Showing
1 changed file
with
55 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
# Network Policy | ||
|
||
[Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) is a Kubernetes feature that controls ingress and egress network traffic for pods. In Vald, you can set network policies as follows. | ||
|
||
> Please note that [prerequisites](https://kubernetes.io/docs/concepts/services-networking/network-policies/#prerequisites) are required for using network policies. Even if you configure the following settings in a cluster that does not meet the prerequisites, network policies will not be effective. | ||
# Network Policy in Vald | ||
|
||
To enable network policies in a Vald cluster, set `defaults.networkPolicy.enabled` to `true` as follows: | ||
|
||
```yaml | ||
defaults: | ||
networkPolicy: | ||
enabled: true | ||
``` | ||
This sets the following ingress/egress rules between Vald components (these are the minimum required rules for a Vald cluster to work). | ||
| from / to | agent | discoverer | filter gateway | lb gateway | index manager | kube-system | | ||
| -------------- | ----- | ---------- | -------------- | ---------- | ------------- | ----------- | | ||
| agent | N/A | ⛔ | ⛔ | ⛔ | ⛔ | ✅ | | ||
| discoverer | ⛔ | N/A | ⛔ | ⛔ | ⛔ | ✅ | | ||
| filter gateway | ⛔ | ⛔ | N/A | ✅ | ⛔ | ✅ | | ||
| lb gateway | ✅ | ✅ | ⛔ | N/A | ⛔ | ✅ | | ||
| index manager | ✅ | ✅ | ⛔ | ⛔ | N/A | ✅ | | ||
# Add a user custom Network Policy | ||
There may be cases where you want to connect a Vald cluster to external components. Specifically, for the following cases: | ||
- Enable egress to `OpenTelemetryCollector` to use [observability features](https://vald.vdaas.org/docs/user-guides/observability-configuration/) | ||
- Enable egress to an external filter component to use [filtering features](https://vald.vdaas.org/docs/user-guides/filtering-configuration/). | ||
|
||
To handle such cases, Vald allows you to set user custom network policies using the `defaults.networkPolicy.custom` field as follows: | ||
|
||
```yaml | ||
defaults: | ||
networkPolicy: | ||
enabled: true | ||
custom: | ||
ingress: | ||
- from: | ||
- podSelector: | ||
matchLabels: | ||
app.kubernetes.io/name: pyroscope | ||
egress: | ||
- to: | ||
- podSelector: | ||
matchLabels: | ||
app.kubernetes.io/name: opentelemetry-collector-collector | ||
``` | ||
|
||
Please write down the same notation as the `ingress/egress` field of [NetworkPolicy resource](https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource) in our `custom` field. | ||
|
||
> Currently, these custom network policies are applied to all Vald components. |