Cluster-Wide Network Policies
Org Admin or Infra Admin role is required to create and use cluster-wide network policies
A cluster-wide policy is a bundle of network security rules that can be applied to one or more clusters via blueprints. They streamline the application of a standard default posture by allowing the admin to apply a single policy which applies to pods in all namespaces, regardless of the policies that exist in individual namespaces.
As an admin, you would want to use cluster-wide policies for the following use cases:
- Establish zero-trust defaults: as an admin, you may want your pods and namespaces to have a default security posture, for example deny all internet traffic as they are created
- Allowing requests to a baseline set of allowed destinations: Rather than creating policies per namespace (for example to allow ingress from all pods to core-dns), create a cluster wide policy that can apply to all the pods/namespaces in the cluster
- Reducing management overhead of network policies in high-scale environments:: With cluster-wide policies being applied to blueprints, you can easily create one policy that can be applied to a fleet of clusters rather than having to create a policy per cluster
Managing Cluster-Wide Policies¶
Creating a Cluster-Wide Policy¶
In order to create a cluster-wide policy, you must add cluster-scoped network policy rules to it. Refer here for instructions to create Network Policy rules.
- Login to the controller and under Network Policy go to the Policies screen. Select the cluster tab and click new policy
- Give a name for the policy and click Create
- Provide a version name
- Click Add Rules and add your cluster-scoped rules with the corresponding version
- Click Save Changes
Rules can be added to or removed from a policy using the same workflow. A new version needs to be created every time a policy is updated.
Using Cluster-Wide Policies¶
Cluster-Wide Policies are applied to clusters via blueprint.
Adding/Removing Cluster-Wide To/From Blueprints¶
- Under Infrastructure, navigate to Blueprints.
- Navigate to the Network Visibility and Policy section and enable it
- Click Add Policy and add the cluster-wide policies with the corresponding version
- Delete a cluster-wide policy from the blueprint by simply clicking the delete icon next to the policy you want to delete.
- Click Save Changes
If the pods in your cluster have been existing pre-deployment of Cilium/network policy management service being enabled in the blueprint, you must RESTART your pods for the policies to take effect