Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add network policy document #2095

Merged
merged 5 commits into from
Jun 29, 2023
Merged

Add network policy document #2095

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7e51cd3
Add network policy document
ykadowak Jun 28, 2023
81e1865
style: Format code with prettier and gofumpt
deepsource-autofix[bot] Jun 28, 2023
f9fee75
replace tab with space
ykadowak Jun 28, 2023
8c49ac7
style: Format code with prettier and gofumpt
deepsource-autofix[bot] Jun 28, 2023
7a41b55
Merge branch 'main' into feature/docs/networkpolicy
kpango Jun 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions docs/user-guides/network-policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# Network Policy

[Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) is a Kubernetes feature that controls ingress and egress network traffic for pods. In Vald, you can set network policies as follows.

> Please note that [prerequisites](https://kubernetes.io/docs/concepts/services-networking/network-policies/#prerequisites) are required for using network policies. Even if you configure the following settings in a cluster that does not meet the prerequisites, network policies will not be effective.

# Network Policy in Vald

To enable network policies in a Vald cluster, set `defaults.networkPolicy.enabled` to `true` as follows:

```yaml
defaults:
networkPolicy:
enabled: true
```

This sets the following ingress/egress rules between Vald components (these are the minimum required rules for a Vald cluster to work).

| from / to | agent | discoverer | filter gateway | lb gateway | index manager | kube-system |
| -------------- | ----- | ---------- | -------------- | ---------- | ------------- | ----------- |
| agent | N/A | ⛔ | ⛔ | ⛔ | ⛔ | ✅ |
| discoverer | ⛔ | N/A | ⛔ | ⛔ | ⛔ | ✅ |
| filter gateway | ⛔ | ⛔ | N/A | ✅ | ⛔ | ✅ |
| lb gateway | ✅ | ✅ | ⛔ | N/A | ⛔ | ✅ |
| index manager | ✅ | ✅ | ⛔ | ⛔ | N/A | ✅ |

# Add a user custom Network Policy

There may be cases where you want to connect a Vald cluster to external components. Specifically, for the following cases:

- Enable egress to `OpenTelemetryCollector` to use [observability features](https://vald.vdaas.org/docs/user-guides/observability-configuration/)
- Enable egress to an external filter component to use [filtering features](https://vald.vdaas.org/docs/user-guides/filtering-configuration/).

To handle such cases, Vald allows you to set user custom network policies using the `defaults.networkPolicy.custom` field as follows:

```yaml
defaults:
networkPolicy:
enabled: true
custom:
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: pyroscope
egress:
- to:
- podSelector:
matchLabels:
app.kubernetes.io/name: opentelemetry-collector-collector
```

Please write down the same notation as the `ingress/egress` field of [NetworkPolicy resource](https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource) in our `custom` field.

> Currently, these custom network policies are applied to all Vald components.