Skip to content

Commit

Permalink
Add network policy document (#2095)
Browse files Browse the repository at this point in the history
* Add network policy document

* style: Format code with prettier and gofumpt

* replace tab with space

* style: Format code with prettier and gofumpt

---------

Co-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com>
Co-authored-by: Yusuke Kato <[email protected]>
  • Loading branch information
3 people authored Jun 29, 2023
1 parent 5a9c8ef commit 3d39dc5
Showing 1 changed file with 55 additions and 0 deletions.
55 changes: 55 additions & 0 deletions docs/user-guides/network-policy.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# Network Policy

[Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) is a Kubernetes feature that controls ingress and egress network traffic for pods. In Vald, you can set network policies as follows.

> Please note that [prerequisites](https://kubernetes.io/docs/concepts/services-networking/network-policies/#prerequisites) are required for using network policies. Even if you configure the following settings in a cluster that does not meet the prerequisites, network policies will not be effective.
# Network Policy in Vald

To enable network policies in a Vald cluster, set `defaults.networkPolicy.enabled` to `true` as follows:

```yaml
defaults:
networkPolicy:
enabled: true
```
This sets the following ingress/egress rules between Vald components (these are the minimum required rules for a Vald cluster to work).
| from / to | agent | discoverer | filter gateway | lb gateway | index manager | kube-system |
| -------------- | ----- | ---------- | -------------- | ---------- | ------------- | ----------- |
| agent | N/A | ⛔ | ⛔ | ⛔ | ⛔ | ✅ |
| discoverer | ⛔ | N/A | ⛔ | ⛔ | ⛔ | ✅ |
| filter gateway | ⛔ | ⛔ | N/A | ✅ | ⛔ | ✅ |
| lb gateway | ✅ | ✅ | ⛔ | N/A | ⛔ | ✅ |
| index manager | ✅ | ✅ | ⛔ | ⛔ | N/A | ✅ |
# Add a user custom Network Policy
There may be cases where you want to connect a Vald cluster to external components. Specifically, for the following cases:
- Enable egress to `OpenTelemetryCollector` to use [observability features](https://vald.vdaas.org/docs/user-guides/observability-configuration/)
- Enable egress to an external filter component to use [filtering features](https://vald.vdaas.org/docs/user-guides/filtering-configuration/).

To handle such cases, Vald allows you to set user custom network policies using the `defaults.networkPolicy.custom` field as follows:

```yaml
defaults:
networkPolicy:
enabled: true
custom:
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: pyroscope
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: opentelemetry-collector-collector
```

Please write down the same notation as the `ingress/egress` field of [NetworkPolicy resource](https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource) in our `custom` field.

> Currently, these custom network policies are applied to all Vald components.

0 comments on commit 3d39dc5

Please sign in to comment.