Network Policy

This tutorial will guide you how to define NetworkPolicies affecting multiple clusters.

Prerequisites

You need to have a functioning Cluster Mesh setup, please follow the guide Setting up Cluster Mesh to set it up.

Security Policies

As addressing and network security are decoupled, network security enforcement automatically spans across clusters. Note that Kubernetes security policies are not automatically distributed across clusters, it is your responsibility to apply CiliumNetworkPolicy or NetworkPolicy in all clusters.

Allowing Specific Communication Between Clusters

The following policy illustrates how to allow particular pods to communicate between two clusters. The cluster name refers to the name given via the --cluster-name agent option or cluster-name ConfigMap option.

  1. apiVersion: "cilium.io/v2"
  2. kind: CiliumNetworkPolicy
  3. metadata:
  4.   name: "allow-cross-cluster"
  5. spec:
  6.   description: "Allow x-wing in cluster1 to contact rebel-base in cluster2"
  7.   endpointSelector:
  8.     matchLabels:
  9.       name: x-wing
  10.       io.cilium.k8s.policy.cluster: cluster1
  11.   egress:
  12.   - toEndpoints:
  13.     - matchLabels:
  14.         name: rebel-base
  15.         io.cilium.k8s.policy.cluster: cluster2

Limitations

  • L7 security policies currently only work across multiple clusters if worker nodes have routes installed allowing to route pod IPs of all clusters. This is obtained when running in direct routing mode by running a routing daemon or --auto-direct-node-routes but won’t work automatically when using tunnel/encapsulation mode.