Global Security Policy
SUMMARY Juniper Cloud-Native Contrail Networking (CN2) release 23.3 supports the
selectors
field for global Contrail security policies. The
selectors
field is a combination of the podSelector
and
namespaceSelector
fields. Global Contrail security policies define allow and
deny rules for ingress and egress traffic between workloads (pods) across clusters. A global
policy with a defined podSelector
applies to pods with the label specified in
the podSelector
field. A global policy with a defined
namespaceSelector
applies to pods with the namespace label specified in
namespaceSelector
field.
Global Security Policy Overview
CN2 release 23.2 enhanced security policies by introducing a global security policy. Unlike namespace security policies, global Contrail security policies address multiple worker clusters within the same CN2 deployment and their traffic use-cases. A multi-cluster deployment benefits from a global policy because it provides consistent, centralized policy management across multiple clusters and an efficient way to control traffic across clusters. Apply a global policy and all matching ingress and egress traffic is controlled by defined rules cluster-wide.
The following is an example of a GlobalContrailSecurityPolicy
.
apiVersion: core.contrail.juniper.net/v3 kind: GlobalContrailSecurityPolicy metadata: name: example-policy spec: rules: - srcEP: endPoints: - podSelector: matchLabels: app: frontend dstEP: endPoints: - podSelector: matchLabels: app: backend - ipBlock: cidr: 174.16.10.50/24 ports: - protocol: TCP port: 80 - protocol: UDP port: 81 action: pass
Note the kind
field, and the lack of the namespace
field
in this policy's metadata. This policy is global because it is not associated with a
namespace.
Policy Scoping With Generic Label Selectors
Along with global policies, CN2 release 23.2 introduced Contrail security policy. Global
policies and Contrail security policies enable you to apply a policy that affects traffic
from its source endpoint to the destination endpoint. By default, these policies do not
contain a pod selector. This means that if you define any of these policies, those policies
apply to all the pods across clusters. Use the PodSelector
feature to apply
a policy to a specific set of pods.
Starting in release 23.3, you can apply a policy to a specific pod with the
selectors
field. Selectors enable you to apply a policy to a set of pods
within the same namespace or across namespaces.
The following is an example of a GlobalContrailSecurityPolicy
. Note that
this policy (example-policy
) does not contain selectors. This policy
applies to srcEP
pods with the label dept: hr
and
dstEP
pods with the label dept: fc
.
apiVersion: core.contrail.juniper.net/v5 kind: GlobalContrailSecurityPolicy metadata: name: example-policy spec: rules: - srcEP: endPoints: - podSelector: matchLabels: dept: hr matchExpressions: - {key: tier, operator: In, values: [one]} - ipBlock: cidr: 174.19.12.11/32 dstEP: endPoints: - podSelector: matchLabels: dept: fac - ipBlock: cidr: 174.19.12.12/32 ports: - protocol: TCP port: 3300 endPort: 3400 action: pass
The following GlobalContrailSecurityPolicy
example applies to pods with
the label site: svl
within namespaces with the label ns:
ns-svl
.
apiVersion: core.contrail.juniper.net/v5 kind: GlobalContrailSecurityPolicy metadata: name: example-policy spec: selectors: - podSelector: matchLabels: site: svl - namespaceSelector: matchLabels: ns: ns-svl rules: - srcEP: endPoints: - podSelector: matchLabels: dept: hr matchExpressions: - {key: tier, operator: In, values: [one]} - ipBlock: cidr: 174.19.12.11/32 dstEP: endPoints: - podSelector: matchLabels: dept: fac - ipBlock: cidr: 174.19.12.12/32 ports: - protocol: TCP port: 3300 endPort: 3400 action: pass
In the case of global policies, you must at least define the
namespaceSelector
field.
Policy Priority
Because CN2 uses both Kubernetes network polices and namespace security policies, a sequence is required to determine how rules are processed between the two different policies.
The rules for namespace security polices are prioritized first, followed by Kubernetes network policies.
Each policy is prioritized as follows:
-
Global Security Policies (Deny)
-
Global Security Policies (Pass)
-
Namespace Security Policies (Deny): By default, if a pod does not match any policies in CN2, traffic is denied. The deny policies are given a higher priority over the pass policies.
- Namespace Security Policies (Pass): If you do not define a policy in CN2, traffic is allowed between all pods in the corresponding namespace.
-
Kubernetes Network Polices: By default, a Kubernetes network policy allows traffic from all sources.