Chapter 5. Exploring the current policies for a cluster

As a developer you might want to check which policies are enforced for a particular site.

Procedure

  1. Log into a namespace where a Application Interconnect site has been initialized.
  2. Check whether incoming links are permitted:

    $ kubectl exec deploy/skupper-service-controller -- get policies incominglink
    
    ALLOWED POLICY ENABLED ERROR                                                   ALLOWED BY
    false   true           Policy validation error: incoming links are not allowed

    In this example incoming links are not allowed by policy.

  3. Explore other policies:

    $ kubectl exec deploy/skupper-service-controller -- get policies
    Validates existing policies
    
    Usage:
      get policies [command]
    
    Available Commands:
      expose       Validates if the given resource can be exposed
      incominglink Validates if incoming links can be created
      outgoinglink Validates if an outgoing link to the given hostname is allowed
      service      Validates if service can be created or imported

    As shown, there are commands to check each policy type by specifying what you want to do, for example, to check if you can expose an nginx deployment:

    $ kubectl  exec deploy/skupper-service-controller -- get policies expose deployment nginx
    ALLOWED POLICY ENABLED ERROR                                                       ALLOWED BY
    false   true           Policy validation error: deployment/nginx cannot be exposed

    If you allowed an nginx deployment as described in Section 4.4, “Implement a policy to allow specific resources”, the same command shows that the resource is allowed and displays the name of the policy CR that enabled it:

    $ kubectl  exec deploy/skupper-service-controller -- get policies expose deployment nginx
    ALLOWED POLICY ENABLED ERROR                                                       ALLOWED BY
    true    true                                                                       allowedexposedresources

Revised on 2022-06-24 16:33:30 UTC