Skip to content

Commit 92c9198

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #269 from huntergregory/example-walkthrough
docs: [Policy Assistant] walkthrough demo with use cases and example files
2 parents 6b27658 + 47307fc commit 92c9198

File tree

8 files changed

+455
-0
lines changed

8 files changed

+455
-0
lines changed

cmd/policy-assistant/examples/demos/walkthrough/README.md

Lines changed: 264 additions & 0 deletions
Large diffs are not rendered by default.

cmd/policy-assistant/examples/demos/walkthrough/demo-deployment-a.yaml

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
apiVersion: apps/v1
2+
kind: Deployment
3+
metadata:
4+
namespace: demo
5+
labels:
6+
pod: a
7+
name: a
8+
spec:
9+
replicas: 1
10+
selector:
11+
matchLabels:
12+
pod: a
13+
template:
14+
metadata:
15+
labels:
16+
pod: a
17+
spec:
18+
containers:
19+
- command:
20+
- /agnhost
21+
- serve-hostname
22+
- --tcp
23+
- --http=false
24+
- --port
25+
- "80"
26+
image: registry.k8s.io/e2e-test-images/agnhost:2.43
27+
imagePullPolicy: IfNotPresent
28+
name: cont-80-tcp
29+
ports:
30+
- containerPort: 80
31+
name: serve-80-tcp
32+
protocol: TCP
33+
- command:
34+
- /agnhost
35+
- serve-hostname
36+
- --tcp
37+
- --http=false
38+
- --port
39+
- "81"
40+
image: registry.k8s.io/e2e-test-images/agnhost:2.43
41+
imagePullPolicy: IfNotPresent
42+
name: cont-81-tcp
43+
ports:
44+
- containerPort: 81
45+
name: serve-81-tcp
46+
protocol: TCP

cmd/policy-assistant/examples/demos/walkthrough/demo-pod-b.yaml

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
apiVersion: v1
2+
kind: Pod
3+
metadata:
4+
namespace: demo
5+
labels:
6+
pod: b
7+
name: b
8+
spec:
9+
containers:
10+
- command:
11+
- /agnhost
12+
- serve-hostname
13+
- --tcp
14+
- --http=false
15+
- --port
16+
- "80"
17+
image: registry.k8s.io/e2e-test-images/agnhost:2.43
18+
imagePullPolicy: IfNotPresent
19+
name: cont-80-tcp
20+
ports:
21+
- containerPort: 80
22+
name: serve-80-tcp
23+
protocol: TCP
24+
- command:
25+
- /agnhost
26+
- serve-hostname
27+
- --tcp
28+
- --http=false
29+
- --port
30+
- "81"
31+
image: registry.k8s.io/e2e-test-images/agnhost:2.43
32+
imagePullPolicy: IfNotPresent
33+
name: cont-81-tcp
34+
ports:
35+
- containerPort: 81
36+
name: serve-81-tcp
37+
protocol: TCP

cmd/policy-assistant/examples/demos/walkthrough/policies/anp1.yaml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
apiVersion: policy.networking.k8s.io/v1alpha1
2+
kind: AdminNetworkPolicy
3+
metadata:
4+
name: anp1
5+
spec:
6+
priority: 1
7+
subject:
8+
namespaces: {}
9+
ingress:
10+
- name: "allow-80"
11+
action: "Allow"
12+
from:
13+
- namespaces:
14+
namespaceSelector: {}
15+
ports:
16+
- portNumber:
17+
protocol: TCP
18+
port: 80

cmd/policy-assistant/examples/demos/walkthrough/policies/anp2.yaml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
apiVersion: policy.networking.k8s.io/v1alpha1
2+
kind: AdminNetworkPolicy
3+
metadata:
4+
name: anp2
5+
spec:
6+
priority: 2
7+
subject:
8+
namespaces: {}
9+
ingress:
10+
- name: "development-ns"
11+
action: "Pass"
12+
from:
13+
- namespaces:
14+
namespaceSelector:
15+
matchLabels:
16+
development: "true"

cmd/policy-assistant/examples/demos/walkthrough/policies/banp.yaml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
apiVersion: policy.networking.k8s.io/v1alpha1
2+
kind: BaselineAdminNetworkPolicy
3+
metadata:
4+
name: default
5+
spec:
6+
subject:
7+
namespaces: {}
8+
ingress:
9+
- name: "baseline-deny"
10+
action: "Deny"
11+
from:
12+
- namespaces:
13+
namespaceSelector: {}

cmd/policy-assistant/examples/demos/walkthrough/policies/npv1.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
kind: NetworkPolicy
2+
apiVersion: networking.k8s.io/v1
3+
metadata:
4+
namespace: demo
5+
name: deny-anything-to-pod-a
6+
spec:
7+
policyTypes:
8+
- Ingress
9+
podSelector:
10+
matchLabels:
11+
pod: a
12+
ingress: []

cmd/policy-assistant/examples/demos/walkthrough/traffic.json

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
[
2+
{
3+
"Source": {
4+
"Internal": {
5+
"Workload": "demo/deployment/a"
6+
}
7+
},
8+
"Destination": {
9+
"Internal": {
10+
"Workload": "demo/pod/b"
11+
}
12+
},
13+
"Protocol": "TCP",
14+
"ResolvedPort": 80,
15+
"ResolvedPortName": "serve-80-tcp"
16+
},
17+
{
18+
"Source": {
19+
"Internal": {
20+
"Workload": "demo/deployment/a"
21+
}
22+
},
23+
"Destination": {
24+
"Internal": {
25+
"Workload": "demo/pod/b"
26+
}
27+
},
28+
"Protocol": "TCP",
29+
"ResolvedPort": 81,
30+
"ResolvedPortName": "serve-81-tcp"
31+
},
32+
{
33+
"Source": {
34+
"Internal": {
35+
"PodLabels": {"app": "nginx"},
36+
"NamespaceLabels": {"development": "true"},
37+
"Namespace": "demo2"
38+
}
39+
},
40+
"Destination": {
41+
"Internal": {
42+
"Workload": "demo/deployment/a"
43+
}
44+
},
45+
"Protocol": "TCP",
46+
"ResolvedPort": 81,
47+
"ResolvedPortName": "serve-81-tcp"
48+
}
49+
]

0 commit comments

Comments
 (0)