Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Global Security Policy

SUMMARY Juniper Cloud-Native Contrail Networking (CN2) release 23.3 supports the selectors field for global Contrail security policies. The selectors field is a combination of the podSelector and namespaceSelector fields. Global Contrail security policies define allow and deny rules for ingress and egress traffic between workloads (pods) across clusters. A global policy with a defined podSelector applies to pods with the label specified in the podSelector field. A global policy with a defined namespaceSelector applies to pods with the namespace label specified in namespaceSelector field.

Global Security Policy Overview

CN2 release 23.2 enhanced security policies by introducing a global security policy. Unlike namespace security policies, global Contrail security policies address multiple worker clusters within the same CN2 deployment and their traffic use-cases. A multi-cluster deployment benefits from a global policy because it provides consistent, centralized policy management across multiple clusters and an efficient way to control traffic across clusters. Apply a global policy and all matching ingress and egress traffic is controlled by defined rules cluster-wide.

The following is an example of a GlobalContrailSecurityPolicy.

Note the kind field, and the lack of the namespace field in this policy's metadata. This policy is global because it is not associated with a namespace.

Policy Scoping With Generic Label Selectors

Along with global policies, CN2 release 23.2 introduced Contrail security policy. Global policies and Contrail security policies enable you to apply a policy that affects traffic from its source endpoint to the destination endpoint. By default, these policies do not contain a pod selector. This means that if you define any of these policies, those policies apply to all the pods across clusters. Use the PodSelector feature to apply a policy to a specific set of pods.

Starting in release 23.3, you can apply a policy to a specific pod with the selectors field. Selectors enable you to apply a policy to a set of pods within the same namespace or across namespaces.

The following is an example of a GlobalContrailSecurityPolicy. Note that this policy (example-policy) does not contain selectors. This policy applies to srcEP pods with the label dept: hr and dstEP pods with the label dept: fc.

The following GlobalContrailSecurityPolicy example applies to pods with the label site: svl within namespaces with the label ns: ns-svl.

In the case of global policies, you must at least define the namespaceSelector field.

Policy Priority

Because CN2 uses both Kubernetes network polices and namespace security policies, a sequence is required to determine how rules are processed between the two different policies.

The rules for namespace security polices are prioritized first, followed by Kubernetes network policies.

Each policy is prioritized as follows:

  1. Global Security Policies (Deny)

  2. Global Security Policies (Pass)

  3. Namespace Security Policies (Deny): By default, if a pod does not match any policies in CN2, traffic is denied. The deny policies are given a higher priority over the pass policies.

  4. Namespace Security Policies (Pass): If you do not define a policy in CN2, traffic is allowed between all pods in the corresponding namespace.
  5. Kubernetes Network Polices: By default, a Kubernetes network policy allows traffic from all sources.