From 7e51cd3a87be8236b3aca372c0c9d25ef999fcd8 Mon Sep 17 00:00:00 2001 From: ykadowak Date: Wed, 28 Jun 2023 07:35:04 +0000 Subject: [PATCH 1/4] Add network policy document --- docs/user-guides/network-policy.md | 56 ++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 docs/user-guides/network-policy.md diff --git a/docs/user-guides/network-policy.md b/docs/user-guides/network-policy.md new file mode 100644 index 0000000000..6b8c328376 --- /dev/null +++ b/docs/user-guides/network-policy.md @@ -0,0 +1,56 @@ +# Network Policy + +[Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) is a Kubernetes feature that controls ingress and egress network traffic for pods. In Vald, you can set network policies as follows. + +> Please note that [prerequisites](https://kubernetes.io/docs/concepts/services-networking/network-policies/#prerequisites) are required for using network policies. Even if you configure the following settings in a cluster that does not meet the prerequisites, network policies will not be effective. + +# Network Policy in Vald + +To enable network policies in a Vald cluster, set `defaults.networkPolicy.enabled` to `true` as follows: + +```yaml +defaults: + networkPolicy: + enabled: true +``` + +This sets the following ingress/egress rules between Vald components (these are the minimum required rules for a Vald cluster to work). + +| from / to | agent | discoverer | filter gateway | lb gateway | index manager | kube-system | +| --- | --- | --- | --- | --- | --- | --- | +| agent | N/A | ⛔ | ⛔ | ⛔ | ⛔ | ✅ | +| discoverer | ⛔ | N/A | ⛔ | ⛔ | ⛔ | ✅ | +| filter gateway | ⛔ | ⛔ | N/A | ✅ | ⛔ | ✅ | +| lb gateway | ✅ | ✅ | ⛔ | N/A | ⛔ | ✅ | +| index manager | ✅ | ✅ | ⛔ | ⛔ | N/A | ✅ | + +# Add a user custom Network Policy + +There may be cases where you want to connect a Vald cluster to external components. Specifically, for the following cases: + +- Enable egress to `OpenTelemetryCollector` to use [observability features](https://vald.vdaas.org/docs/user-guides/observability-configuration/) +- Enable egress to an external filter component to use [filtering features](https://vald.vdaas.org/docs/user-guides/filtering-configuration/). + +To handle such cases, Vald allows you to set user custom network policies using the `defaults.networkPolicy.custom` field as follows: + +``` +defaults: + networkPolicy: + enabled: true + custom: + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: pyroscope + egress: + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: opentelemetry-collector-collector + +``` + +Please write down the same notation as the `ingress/egress` field of [NetworkPolicy resource](https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource) in our `custom` field. + +> Currently, these custom network policies are applied to all Vald components. From 81e1865db8a6dd475677682fc60c7fabfe3fa74a Mon Sep 17 00:00:00 2001 From: "deepsource-autofix[bot]" <62050782+deepsource-autofix[bot]@users.noreply.github.com> Date: Wed, 28 Jun 2023 07:35:56 +0000 Subject: [PATCH 2/4] style: Format code with prettier and gofumpt --- docs/user-guides/network-policy.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/user-guides/network-policy.md b/docs/user-guides/network-policy.md index 6b8c328376..359d05d5d1 100644 --- a/docs/user-guides/network-policy.md +++ b/docs/user-guides/network-policy.md @@ -16,13 +16,13 @@ defaults: This sets the following ingress/egress rules between Vald components (these are the minimum required rules for a Vald cluster to work). -| from / to | agent | discoverer | filter gateway | lb gateway | index manager | kube-system | -| --- | --- | --- | --- | --- | --- | --- | -| agent | N/A | ⛔ | ⛔ | ⛔ | ⛔ | ✅ | -| discoverer | ⛔ | N/A | ⛔ | ⛔ | ⛔ | ✅ | -| filter gateway | ⛔ | ⛔ | N/A | ✅ | ⛔ | ✅ | -| lb gateway | ✅ | ✅ | ⛔ | N/A | ⛔ | ✅ | -| index manager | ✅ | ✅ | ⛔ | ⛔ | N/A | ✅ | +| from / to | agent | discoverer | filter gateway | lb gateway | index manager | kube-system | +| -------------- | ----- | ---------- | -------------- | ---------- | ------------- | ----------- | +| agent | N/A | ⛔ | ⛔ | ⛔ | ⛔ | ✅ | +| discoverer | ⛔ | N/A | ⛔ | ⛔ | ⛔ | ✅ | +| filter gateway | ⛔ | ⛔ | N/A | ✅ | ⛔ | ✅ | +| lb gateway | ✅ | ✅ | ⛔ | N/A | ⛔ | ✅ | +| index manager | ✅ | ✅ | ⛔ | ⛔ | N/A | ✅ | # Add a user custom Network Policy From f9fee7565d75bbd2a27d0fe84df3a1ac570098ae Mon Sep 17 00:00:00 2001 From: ykadowak Date: Wed, 28 Jun 2023 07:37:28 +0000 Subject: [PATCH 3/4] replace tab with space --- docs/user-guides/network-policy.md | 33 +++++++++++++++--------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/docs/user-guides/network-policy.md b/docs/user-guides/network-policy.md index 359d05d5d1..4065da106e 100644 --- a/docs/user-guides/network-policy.md +++ b/docs/user-guides/network-policy.md @@ -10,8 +10,8 @@ To enable network policies in a Vald cluster, set `defaults.networkPolicy.enable ```yaml defaults: - networkPolicy: - enabled: true + networkPolicy: + enabled: true ``` This sets the following ingress/egress rules between Vald components (these are the minimum required rules for a Vald cluster to work). @@ -33,22 +33,21 @@ There may be cases where you want to connect a Vald cluster to external componen To handle such cases, Vald allows you to set user custom network policies using the `defaults.networkPolicy.custom` field as follows: -``` +```yaml defaults: - networkPolicy: - enabled: true - custom: - ingress: - - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: pyroscope - egress: - - to: - - podSelector: - matchLabels: - app.kubernetes.io/name: opentelemetry-collector-collector - + networkPolicy: + enabled: true + custom: + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: pyroscope + egress: + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: opentelemetry-collector-collector ``` Please write down the same notation as the `ingress/egress` field of [NetworkPolicy resource](https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource) in our `custom` field. From 8c49ac7bee74cbe50cc335d4bfbd3c3a80f753f6 Mon Sep 17 00:00:00 2001 From: "deepsource-autofix[bot]" <62050782+deepsource-autofix[bot]@users.noreply.github.com> Date: Wed, 28 Jun 2023 07:37:47 +0000 Subject: [PATCH 4/4] style: Format code with prettier and gofumpt --- docs/user-guides/network-policy.md | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/docs/user-guides/network-policy.md b/docs/user-guides/network-policy.md index 4065da106e..b74c7695c7 100644 --- a/docs/user-guides/network-policy.md +++ b/docs/user-guides/network-policy.md @@ -10,8 +10,8 @@ To enable network policies in a Vald cluster, set `defaults.networkPolicy.enable ```yaml defaults: - networkPolicy: - enabled: true + networkPolicy: + enabled: true ``` This sets the following ingress/egress rules between Vald components (these are the minimum required rules for a Vald cluster to work). @@ -35,19 +35,19 @@ To handle such cases, Vald allows you to set user custom network policies using ```yaml defaults: - networkPolicy: - enabled: true - custom: - ingress: - - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: pyroscope - egress: - - to: - - podSelector: - matchLabels: - app.kubernetes.io/name: opentelemetry-collector-collector + networkPolicy: + enabled: true + custom: + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: pyroscope + egress: + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: opentelemetry-collector-collector ``` Please write down the same notation as the `ingress/egress` field of [NetworkPolicy resource](https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource) in our `custom` field.