kilo/docs/network-policies.md

# Network Policies

Network policies allow specifying whether and how different groups of Pods running in a Kubernetes cluster can communicate with one another.
In other words, they can be used to control and limit the ingress and egress traffic to and from Pods.
Naturally, network policies can be used to restrict which WireGuard peers have access to which Pods and vice-versa.
Support for [Kubernetes network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) can be easily added to any cluster running Kilo by deploying a utility such as [kube-router](https://github.com/cloudnativelabs/kube-router).

## Installation

The following command adds network policy support by deploying kube-router to work alongside Kilo:

```shell
kubectl apply -f kubectl apply -f https://raw.githubusercontent.com/squat/kilo/master/manifests/kube-router.yaml
```

## Examples

Network policies could now be deployed to the cluster.
Consider the following example scenarios.

### Deny All Ingress Except WireGuard

Imagine that an organization wants to limit access to a namespace to only allow traffic from the WireGuard VPN.
Access to a namespace could be limited to only accept ingress from a CIDR range with:

```shell
cat <<'EOF' | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-ingress-except-wireguard
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 10.5.0.0/16 # The WireGuard mesh/s CIDR.
EOF
```

### Deny Egress to WireGuard Peers

Consider the case where Pods running in one namespace should not have access to resources in the WireGuard mesh, e.g. because the Pods are potentially untrusted.
In this scenario, a policy to restrict access to the WireGuard peers could be created with:

```shell
cat <<'EOF' | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-egress-to-wireguard
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.5.0.0/16 # The WireGuard mesh's CIDR.
EOF
```
docs: add network policies examples This commit adds a guide for deploying Kubernetes NetworkPolicy support to a cluster running Kilo. Signed-off-by: Lucas Servén Marín <lserven@gmail.com> 2020-04-28 12:50:57 +00:00			`# Network Policies`

			`Network policies allow specifying whether and how different groups of Pods running in a Kubernetes cluster can communicate with one another.`
			`In other words, they can be used to control and limit the ingress and egress traffic to and from Pods.`
			`Naturally, network policies can be used to restrict which WireGuard peers have access to which Pods and vice-versa.`
			`Support for [Kubernetes network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) can be easily added to any cluster running Kilo by deploying a utility such as [kube-router](https://github.com/cloudnativelabs/kube-router).`

			`## Installation`

			`The following command adds network policy support by deploying kube-router to work alongside Kilo:`

			```shell
			`kubectl apply -f kubectl apply -f https://raw.githubusercontent.com/squat/kilo/master/manifests/kube-router.yaml`
			```

			`## Examples`

			`Network policies could now be deployed to the cluster.`
			`Consider the following example scenarios.`

			`### Deny All Ingress Except WireGuard`

			`Imagine that an organization wants to limit access to a namespace to only allow traffic from the WireGuard VPN.`
			`Access to a namespace could be limited to only accept ingress from a CIDR range with:`

			```shell
			`cat <<'EOF' \| kubectl apply -f -`
			`apiVersion: networking.k8s.io/v1`
			`kind: NetworkPolicy`
			`metadata:`
			`name: deny-ingress-except-wireguard`
			`spec:`
			`podSelector: {}`
			`policyTypes:`
			`- Ingress`
			`ingress:`
			`- from:`
			`- ipBlock:`
			`cidr: 10.5.0.0/16 # The WireGuard mesh/s CIDR.`
			`EOF`
			```

			`### Deny Egress to WireGuard Peers`

			`Consider the case where Pods running in one namespace should not have access to resources in the WireGuard mesh, e.g. because the Pods are potentially untrusted.`
			`In this scenario, a policy to restrict access to the WireGuard peers could be created with:`

			```shell
			`cat <<'EOF' \| kubectl apply -f -`
			`apiVersion: networking.k8s.io/v1`
			`kind: NetworkPolicy`
			`metadata:`
			`name: deny-egress-to-wireguard`
			`spec:`
			`podSelector: {}`
			`policyTypes:`
			`- Egress`
			`egress:`
			`- to:`
			`- ipBlock:`
			`cidr: 0.0.0.0/0`
			`except:`
			`- 10.5.0.0/16 # The WireGuard mesh's CIDR.`
			`EOF`
			```