Merge pull request #199 from appuio/lb-service-ciliumnetworkpolicy

Add step to deploy a `CiliumNetworkPolicy` in the LoadBalancer how-to
appuio · Jul 31, 2024 · e7f9aa4 · e7f9aa4
2 parents 8c568fe + 9113fad
commit e7f9aa4
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/docs/modules/ROOT/pages/how-to/non-http-services.adoc b/docs/modules/ROOT/pages/how-to/non-http-services.adoc
@@ -52,6 +52,25 @@ spec:
     app: ggircd
 --
 
+Configure a `CiliumNetworkPolicy` to allow access to all workloads in the namespace from outside the cluster:
+
+[source,yaml]
+--
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-from-world
+spec:
+  endpointSelector: {} <1>
+  ingress: <2>
+  - fromEntities:
+    - world
+--
+<1> By configuring a more restrictive `endpoointSelector` you can restrict which workloads are reachable from outside the cluster
+<2> This example policy allows traffic from anywhere outside the cluster (via https://docs.cilium.io/en/latest/security/policy/language/#entities-based[entity] `world`).
+
+TIP: See the https://docs.cilium.io/en/latest/security/policy/[Cilium Network Policy documentation] for a detailed overview of what configuration options are available with `CiliumNetworkPolicy`.
+
 On the https://portal.appuio.cloud/zones/cloudscale-lpg-2[cloudscale.ch - LPG 2] zone, the cluster automatically assigns a unique external IPv4 address to this service. To see which IPv4 address has been assigned, go to the OpenShift Web Console and navigate to "Networking/Services." The IP is displayed in the field "External IP."
 
 Using the CLI is also possible: