docs: add network policies examples

This commit adds a guide for deploying Kubernetes NetworkPolicy support
to a cluster running Kilo.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>

docs/network-policies.md

@@ -0,0 +1,65 @@
+# Network Policies
+
+Network policies allow specifying whether and how different groups of Pods running in a Kubernetes cluster can communicate with one another.
+In other words, they can be used to control and limit the ingress and egress traffic to and from Pods.
+Naturally, network policies can be used to restrict which WireGuard peers have access to which Pods and vice-versa.
+Support for [Kubernetes network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) can be easily added to any cluster running Kilo by deploying a utility such as [kube-router](https://github.com/cloudnativelabs/kube-router).
+
+## Installation
+
+The following command adds network policy support by deploying kube-router to work alongside Kilo:
+
+```shell
+kubectl apply -f kubectl apply -f https://raw.githubusercontent.com/squat/kilo/master/manifests/kube-router.yaml
+```
+
+## Examples
+
+Network policies could now be deployed to the cluster.
+Consider the following example scenarios.
+
+### Deny All Ingress Except WireGuard
+
+Imagine that an organization wants to limit access to a namespace to only allow traffic from the WireGuard VPN.
+Access to a namespace could be limited to only accept ingress from a CIDR range with:
+
+```shell
+cat <<'EOF' | kubectl apply -f -
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-ingress-except-wireguard
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 10.5.0.0/16 # The WireGuard mesh/s CIDR.
+EOF
+```
+
+### Deny Egress to WireGuard Peers
+
+Consider the case where Pods running in one namespace should not have access to resources in the WireGuard mesh, e.g. because the Pods are potentially untrusted.
+In this scenario, a policy to restrict access to the WireGuard peers could be created with:
+
+```shell
+cat <<'EOF' | kubectl apply -f -
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-egress-to-wireguard
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+        - 10.5.0.0/16 # The WireGuard mesh's CIDR.
+EOF
+```

manifests/kube-router.yaml

@@ -0,0 +1,106 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: kube-router
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: kube-router
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kube-router
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: kube-router
+    spec:
+      serviceAccountName: kube-router
+      priorityClassName: system-node-critical
+      containers:
+      - name: kube-router
+        image: cloudnativelabs/kube-router
+        args:
+        - --run-router=false
+        - --run-firewall=true
+        - --run-service-proxy=false
+        securityContext:
+          privileged: true
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 20244
+          initialDelaySeconds: 10
+          periodSeconds: 3
+        volumeMounts:
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
+          readOnly: false
+      hostNetwork: true
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Exists
+      - effect: NoSchedule
+        key: node.kubernetes.io/not-ready
+        operator: Exists
+      volumes:
+      - name: xtables-lock
+        hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-router
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kube-router
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  - namespaces
+  - nodes
+  - pods
+  - services
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - networkpolicies
+  verbs:
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-router
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-router
+subjects:
+  - kind: ServiceAccount
+    name: kube-router
+    namespace: kube-system

website/docs/network-policies

@@ -0,0 +1,5 @@
+---
+id: network-policies
+title: Network Policies
+hide_title: true
+---

website/sidebars.js

@@ -7,7 +7,7 @@ module.exports = {
     {
       type: 'category',
       label: 'Guides',
-      items: ['topology', 'vpn', 'vpn-server', 'multi-cluster-services'],
+      items: ['topology', 'vpn', 'vpn-server', 'multi-cluster-services', 'network-policies'],
     },
     {
       type: 'category',