Network Policy
This tutorial will guide you how to define NetworkPolicies affecting multiple clusters.
Prerequisites
You need to have a functioning Cluster Mesh setup, please follow the guide Setting up Cluster Mesh to set it up.
Security Policies
As addressing and network security are decoupled, network security enforcement
automatically spans across clusters. Note that Kubernetes security policies are
not automatically distributed across clusters, it is your responsibility to
apply CiliumNetworkPolicy
or NetworkPolicy
in all clusters.
Allowing Specific Communication Between Clusters
The following policy illustrates how to allow particular pods to communicate
between two clusters. The cluster name refers to the name given via the
--cluster-name
agent option or cluster-name
ConfigMap option.
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "allow-cross-cluster"
spec:
description: "Allow x-wing in cluster1 to contact rebel-base in cluster2"
endpointSelector:
matchLabels:
name: x-wing
io.cilium.k8s.policy.cluster: cluster1
egress:
- toEndpoints:
- matchLabels:
name: rebel-base
io.cilium.k8s.policy.cluster: cluster2