Chapter 5. Exploring the current policies for a cluster
As a developer you might want to check which policies are enforced for a particular site.
Procedure
- Log into a namespace where a Application Interconnect site has been initialized.
Check whether incoming links are permitted:
$ kubectl exec deploy/skupper-service-controller -- get policies incominglink ALLOWED POLICY ENABLED ERROR ALLOWED BY false true Policy validation error: incoming links are not allowed
In this example incoming links are not allowed by policy.
Explore other policies:
$ kubectl exec deploy/skupper-service-controller -- get policies Validates existing policies Usage: get policies [command] Available Commands: expose Validates if the given resource can be exposed incominglink Validates if incoming links can be created outgoinglink Validates if an outgoing link to the given hostname is allowed service Validates if service can be created or imported
As shown, there are commands to check each policy type by specifying what you want to do, for example, to check if you can expose an nginx deployment:
$ kubectl exec deploy/skupper-service-controller -- get policies expose deployment nginx ALLOWED POLICY ENABLED ERROR ALLOWED BY false true Policy validation error: deployment/nginx cannot be exposed
If you allowed an nginx deployment as described in Section 4.4, “Implement a policy to allow specific resources”, the same command shows that the resource is allowed and displays the name of the policy CR that enabled it:
$ kubectl exec deploy/skupper-service-controller -- get policies expose deployment nginx ALLOWED POLICY ENABLED ERROR ALLOWED BY true true allowedexposedresources
Revised on 2022-06-24 16:33:30 UTC