How do managed network policies work?
Managing network policies is complex and requires a consistent strategy to maintain control over network traffic within your clusters. The managed network policies feature in mogenius provides a ready-to-use, opinionated concept to address this challenge. The approach is based on the following main ideas:- Default Namespace Policies: Before configuring specific network policies, a namespace receives two default policies. The first is a
deny-all-ingress
policy that blocks all incoming traffic to the namespace. The second is anallow-namespace-communication
policy that allows communication between pods within the namespace. - Granular Whitelisting: With this setup, policies are created for each deployment (or controller in a broader sense) to define specific communication that should be allowed.
- Templates and Labels: All cluster-wide policies are stored as templates in a global ConfigMap. A policy can be applied to a controller by setting a label in the deployment.
Prerequisites
To support network policies, a Container Network Interface (CNI) is required on your cluster. Calico or Cilium are popular CNIs and most managed Kubernetes solutions (Amazon EKS, Azure AKS, Google Cloud GKE) offer options to enable a CNI during cluster creation. If you’re uncertain if a CNI is available on your Kubernetes cluster or encountering setup issues, feel free to contact our support.Enabling Network Policy Management
To enable network policy management:- Navigate to your cluster in mogenius and open the Network Policies tab.
- A button is available for each namespace to enable network policy management. The interface will also indicate if unmanaged network policies (i.e., those not created through mogenius) are active in the namespace.
- After enabling the feature, the
deny-all-ingress
andallow-namespace-communication
policies are automatically added to the namespace.
When enabling network policy management, all previously created network policies in the namespace will be deleted. This ensures consistency and predictable results for policies created using mogenius. Be sure to back up any existing policies before proceeding.
Deploying a Network Policy from the Network Policies Page
Once network policy management is enabled, the interface displays all controllers within the namespace. To deploy a network policy for a controller:- Click on +Add next to the controller.
- Select the desired policy template from the list.
- Confirm your choice.
Deploying a Network Policy from Inside a Workspace
After enabling network policy management for a namespace, developers can also utilize it within their mogenius projects. This enables them to securely and independently apply network policy templates within their projects. To deploy a network policy for a resource inside a workspace:- Open the resource page.
- Open Settings.
- Navigate to the Network Policies tab.
- Select and apply policies from the available list of templates.
Managing Network Policy Templates
When applying a network policy to a controller, a global ConfigMap is utilized to store all available policies as templates.- Upon first connecting your cluster to mogenius, a default set of templates is created.
- You can use the mogenius UI to add custom templates, update existing ones, or delete outdated templates.
- Go to Network Policies in your cluster settings.
- Click Manage Policies in the top-right corner of the page.