Chapter 4. Creating policies for the policy system

Policies allow a cluster administrator to control communication across the service network from a cluster.

Prerequisites

  • Access to a cluster using a cluster-admin account.
  • The policy system CRD is installed on the cluster.
Procedure

Typically, you create a policy CR that combines many elements from the steps below. See Chapter 1, About the policy system for an example CR.

4.2. Implement a policy to allow outgoing links to specific hosts

Use allowedOutgoingLinksHostnames to specify hosts that developers can create links to. You cannot create a allowedOutgoingLinksHostnames policy to disallow a specific host that was previously allowed.

  1. Determine which namespaces you want to apply this policy to.
  2. Create a CR with allowedOutgoingLinksHostnames set to a pattern of allowed hosts.
  3. Create and apply the CR.

For example, the following CR allows links to all subdomains of example.com for all namespaces:

apiVersion: skupper.io/v1alpha1
kind: SkupperClusterPolicy
metadata:
  name: allowedoutgoinglinkshostnames
spec:
  namespaces:
    - "*"
  allowedOutgoingLinksHostnames: ['.*\\.example\\.com']

4.3. Implement a policy to allow specific services

Use allowedServices to specify which services a developer can create or use on the service network. You cannot create a allowedServices policy to disallow a specific service that was previously allowed.

Procedure

  1. Determine which namespaces you want to apply this policy to.
  2. Create a CR with allowedServices set to specify the services allowed on the service network.
  3. Create and apply the CR.

For example, the following CR allows users to expose and consume services with the prefix backend- for all namespaces:

apiVersion: skupper.io/v1alpha1
kind: SkupperClusterPolicy
metadata:
  name: allowedservices
spec:
  namespaces:
    - "*"
  allowedServices: ['^backend-']
Note

When exposing services, you can use the --address <name> parameter of the skupper CLI to name services to match your policy.

4.4. Implement a policy to allow specific resources

Use allowedExposedResources to specify which resources a developer can expose on the service network. You cannot create a allowedExposedResources policy to disallow a specific resource that was previously allowed.

Procedure

  1. Determine which namespaces you want to apply this policy to.
  2. Create a CR with allowedExposedResources set to specify resources that a developer can expose on the service network.
  3. Create and apply the CR.

For example, the following CR allows you to expose an nginx deployment for all namespaces:

apiVersion: skupper.io/v1alpha1
kind: SkupperClusterPolicy
metadata:
  name: allowedexposedresources
spec:
  namespaces:
    - "*"
  allowedExposedResources: ['deployment/nginx']
Note

For allowedExposedResources, each entry must conform to the type/name syntax.