The integrated network policy manager allows you to create and manage network policies on your cluster. With a built-in strategy for implementing network policies provided by mogenius, you can easily get started while enabling developers to leverage these capabilities in their services.
Managing network policies is complex and requires a consistent strategy to maintain control over network traffic within your clusters. The managed network policies feature in mogenius provides a ready-to-use, opinionated concept to address this challenge. The approach is based on the following main ideas:
deny-all-ingress
policy that blocks all incoming traffic to the namespace. The second is an allow-namespace-communication
policy that allows communication between pods within the namespace.This framework aims to streamline policy management on your cluster, providing high visibility over the policies applied to each namespace and controller.
To support network policies, a Container Network Interface (CNI) is required on your cluster. Calico or Cilium are popular CNIs and most managed Kubernetes solutions (Amazon EKS, Azure AKS, Google Cloud GKE) offer options to enable a CNI during cluster creation. If you’re uncertain if a CNI is available on your Kubernetes cluster or encountering setup issues, feel free to contact our support.
To enable network policy management:
deny-all-ingress
and allow-namespace-communication
policies are automatically added to the namespace.When enabling network policy management, all previously created network policies in the namespace will be deleted. This ensures consistency and predictable results for policies created using mogenius. Be sure to back up any existing policies before proceeding.
Once network policy management is enabled, the interface displays all controllers within the namespace. To deploy a network policy for a controller:
To modify the templates available in the selection, refer to Managing Network Policy Templates.
After enabling network policy management for a namespace, developers can also utilize it within their mogenius projects. This enables them to securely and independently apply network policy templates within their projects.
To deploy a network policy for a resource inside a workspace:
Because policy templates are managed globally and network policy management is enabled only by admins for each namespace, the scope of network policies remains confined to the specific namespace assigned to a developer or team.
When applying a network policy to a controller, a global ConfigMap is utilized to store all available policies as templates.
To manage these templates:
Changes made to the global list of templates do not affect existing controllers but will apply to any new network policies deployed to a controller thereafter.