Any existing pods/workloads prior to to sidecar injection being enabled must be RESTARTED in order for policies to take effect. When sidecar injection is disabled, pods/workloads must be RESTARTED for the sidecars to no longer run.
Org Admin or Infra Admin role is required to create and use cluster-wide service mesh policies
A cluster-wide policy is a bundle of service mesh rules that can be applied to one or more clusters via blueprints. They streamline the application of a standard default posture by allowing the admin to apply a single policy which applies to pods in all namespaces in a cluster.
An example use case for a cluster-wide policy is securing inter-service communication. As a platform admin, you may want to enforce mTLS for all service to service communication for security or compliance purposes.
The typical workflow for using cluster-wide policies is the following:
Step 1: Create Cluster-Wide Policy Rules Step 2: Create Cluster-Wide Policies Step 3: Add the Cluster-Wide Policies To a Custom or Golden Blueprint
Managing Cluster-Wide Policies¶
Creating a Cluster-Wide Policy¶
In order to create a cluster-wide policy, you must add cluster-scoped service mesh rules to it.
- Login to the controller and under Service Mesh go to the Policies screen. Select the cluster tab and click new policy
- Give a name for the policy and click Create
- Provide a version name
- Click Add Rules and add your cluster-scoped rules with the corresponding version
- Click Save Changes
Rules can be added to or removed from a policy using the same workflow. A new version needs to be created every time a policy is updated.
Using Cluster-Wide Policies¶
Cluster-Wide Policies are applied to clusters via blueprints. These policies can be added to either custom blueprints or golden blueprints. See the blueprint documentation to learn how to create a custom or golden blueprint.
Adding/Removing Cluster-Wide To/From Blueprints¶
- Under Infrastructure, navigate to Blueprints.
- Navigate to the Service Mesh section and enable it
- Click Add Policy and add the cluster-wide policies with the corresponding version
- Delete a cluster-wide policy from the blueprint by simply clicking the delete icon next to the policy you want to delete.
- Click Save Changes
When using a custom blueprint, if it inherits from a golden blueprint, then the cluster-wide policies specified in the golden blueprint cannot be overridden or deleted. This is to ensure that an admin can specify key sets of policies that are always on for compliance and security.