Chapter 1. About the policy system
After a cluster administrator installs the policy system using a Custom Resource Definition (CRD), the cluster administrator needs to configure one or more policies to allow developers create and use services on the service network.
In this guide, developers refers to users of a cluster who have access to a namespace, but do not have administrator privileges.
A cluster administrator configures one or more of following items using custom resources (CRs) to enable communication:
- Allow incoming links
-
Use
allowIncomingLinksto enable developers create tokens and configure incoming links. - Allow outgoing links to specific hosts
-
Use
allowedOutgoingLinksHostnamesto specify hosts that developers can create links to. - Allow services
-
Use
allowedServicesto specify which services developers can create or use on the service network. - Allow resources to be exposed
-
Use
allowedExposedResourcesto specify which resources a developer can expose on the service network.
A cluster administrator can apply each policy CR setting to one or more namespaces.
For example, the following policy CR fully allows all Application Interconnect capabilities on all namespaces, except for:
-
only allows outgoing links to any domain ending in
.example.com. - only allows 'deployment/nginx' resources to be exposed on the service network.
apiVersion: skupper.io/v1alpha1
kind: SkupperClusterPolicy
metadata:
name: cluster-policy-sample-01
spec:
namespaces:
- "*"
allowIncomingLinks: true
allowedExposedResources:
- "deployment/nginx"
allowedOutgoingLinksHostnames: [".*\\.example.com$"]
allowedServices:
- "*"
You can apply many policy CRs, and if there are conflicts in the items allowed, the most permissive policy is applied. For example, if you apply an additional policy CR with the line allowedOutgoingLinksHostnames: [], which does not list any hostnames, outgoing links to *.example.com are still permitted because that is permitted in the original CR.
namespaces- One or more patterns to specify the namespaces that this policy applies to. Note that you can use Label selectors to match the namespaces.
allowIncomingLinks-
Specify
trueto allow other sites create links to the specified namespaces. allowedOutgoingLinksHostnames- Specify one or more patterns to determine which hosts you can create links to from the specified namespaces.
allowedServices- Specify one or more patterns to determine the permitted names of services allowed on the service network from the specified namespaces.
allowedExposedResources- Specify one or more permitted names of resources allowed on the service network from the specified namespaces. Note that patterns are not supported.
Use regular expressions to create pattern matches, for example:
-
.*\\.com$matches any string ending in.com. A double backslash is required to avoid issues in YAML. -
^abc$matches the stringabc.
If you create another CR that allows outgoing links for a specific namespace, a user can create a link from that namespace to join a service network. That is, the logic for multiple policy CRs is OR. An operation is permitted if any single policy CR permits the operation.