Chapter 4. Creating policies for the policy system
Policies allow a cluster administrator to control communication across the service network from a cluster.
Prerequisites
-
Access to a cluster using a
cluster-adminaccount. - The policy system CRD is installed on the cluster.
Typically, you create a policy CR that combines many elements from the steps below. See Chapter 1, About the policy system for an example CR.
4.1. Implement a policy to allow incoming links
Use allowIncomingLinks to enable developers create tokens and configure incoming links.
Procedure
- Determine which namespaces you want to apply this policy to.
-
Create a CR with
allowIncomingLinksset totrueorfalse. - Create and apply the CR.
For example, the following CR allows incoming links for all namespaces:
apiVersion: skupper.io/v1alpha1
kind: SkupperClusterPolicy
metadata:
name: allowincominglinks
spec:
namespaces:
- "*"
allowIncomingLinks: true4.2. Implement a policy to allow outgoing links to specific hosts
Use allowedOutgoingLinksHostnames to specify hosts that developers can create links to. You cannot create a allowedOutgoingLinksHostnames policy to disallow a specific host that was previously allowed.
- Determine which namespaces you want to apply this policy to.
-
Create a CR with
allowedOutgoingLinksHostnamesset to a pattern of allowed hosts. - Create and apply the CR.
For example, the following CR allows links to all subdomains of example.com for all namespaces:
apiVersion: skupper.io/v1alpha1
kind: SkupperClusterPolicy
metadata:
name: allowedoutgoinglinkshostnames
spec:
namespaces:
- "*"
allowedOutgoingLinksHostnames: ['.*\\.example\\.com']4.3. Implement a policy to allow specific services
Use allowedServices to specify which services a developer can create or use on the service network. You cannot create a allowedServices policy to disallow a specific service that was previously allowed.
Procedure
- Determine which namespaces you want to apply this policy to.
-
Create a CR with
allowedServicesset to specify the services allowed on the service network. - Create and apply the CR.
For example, the following CR allows users to expose and consume services with the prefix backend- for all namespaces:
apiVersion: skupper.io/v1alpha1
kind: SkupperClusterPolicy
metadata:
name: allowedservices
spec:
namespaces:
- "*"
allowedServices: ['^backend-']
When exposing services, you can use the --address <name> parameter of the skupper CLI to name services to match your policy.
4.4. Implement a policy to allow specific resources
Use allowedExposedResources to specify which resources a developer can expose on the service network. You cannot create a allowedExposedResources policy to disallow a specific resource that was previously allowed.
Procedure
- Determine which namespaces you want to apply this policy to.
-
Create a CR with
allowedExposedResourcesset to specify resources that a developer can expose on the service network. - Create and apply the CR.
For example, the following CR allows you to expose an nginx deployment for all namespaces:
apiVersion: skupper.io/v1alpha1
kind: SkupperClusterPolicy
metadata:
name: allowedexposedresources
spec:
namespaces:
- "*"
allowedExposedResources: ['deployment/nginx']
For allowedExposedResources, each entry must conform to the type/name syntax.