From 9113fadbe2fc111ec4ec96ae09f12e2cb50909bf Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Wed, 31 Jul 2024 10:38:55 +0200 Subject: [PATCH] Add step to deploy a `CiliumNetworkPolicy` in the LoadBalancer how-to --- .../ROOT/pages/how-to/non-http-services.adoc | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/modules/ROOT/pages/how-to/non-http-services.adoc b/docs/modules/ROOT/pages/how-to/non-http-services.adoc index 9e1f9c55..fd9a9a10 100644 --- a/docs/modules/ROOT/pages/how-to/non-http-services.adoc +++ b/docs/modules/ROOT/pages/how-to/non-http-services.adoc @@ -52,6 +52,25 @@ spec: app: ggircd -- +Configure a `CiliumNetworkPolicy` to allow access to all workloads in the namespace from outside the cluster: + +[source,yaml] +-- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-from-world +spec: + endpointSelector: {} <1> + ingress: <2> + - fromEntities: + - world +-- +<1> By configuring a more restrictive `endpoointSelector` you can restrict which workloads are reachable from outside the cluster +<2> This example policy allows traffic from anywhere outside the cluster (via https://docs.cilium.io/en/latest/security/policy/language/#entities-based[entity] `world`). + +TIP: See the https://docs.cilium.io/en/latest/security/policy/[Cilium Network Policy documentation] for a detailed overview of what configuration options are available with `CiliumNetworkPolicy`. + On the https://portal.appuio.cloud/zones/cloudscale-lpg-2[cloudscale.ch - LPG 2] zone, the cluster automatically assigns a unique external IPv4 address to this service. To see which IPv4 address has been assigned, go to the OpenShift Web Console and navigate to "Networking/Services." The IP is displayed in the field "External IP." Using the CLI is also possible: