Skip to content

Cluster-Wide Network Policies

Overview

Important

Org Admin or Infra Admin role is required to create and use cluster-wide network policies

A cluster-wide policy is a bundle of network security rules that can be applied to one or more clusters via blueprints. They streamline the application of a standard default posture by allowing the admin to apply a single policy which applies to pods in all namespaces, regardless of the policies that exist in individual namespaces.

Use Cases

As an admin, you would want to use cluster-wide policies for the following use cases:

  • Establish zero-trust defaults: as an admin, you may want your pods and namespaces to have a default security posture, for example deny all internet traffic as they are created
  • Allowing requests to a baseline set of allowed destinations: Rather than creating policies per namespace (for example to allow ingress from all pods to core-dns), create a cluster wide policy that can apply to all the pods/namespaces in the cluster
  • Reducing management overhead of network policies in high-scale environments:: With cluster-wide policies being applied to blueprints, you can easily create one policy that can be applied to a fleet of clusters rather than having to create a policy per cluster

Managing Cluster-Wide Policies

Creating a Cluster-Wide Policy

In order to create a cluster-wide policy, you must add cluster-scoped network policy rules to it. Refer here for instructions to create Network Policy rules.

  • Login to the controller and under Network Policy go to the Policies screen. Select the cluster tab and click new policy
  • Give a name for the policy and click Create
  • Provide a version name
  • Click Add Rules and add your cluster-scoped rules with the corresponding version
  • Click Save Changes

Create cluster-wide policy

Rules can be added to or removed from a policy using the same workflow. A new version needs to be created every time a policy is updated.


Using Cluster-Wide Policies

Cluster-Wide Policies are applied to clusters via blueprint.

Adding/Removing Cluster-Wide To/From Blueprints

  • Under Infrastructure, navigate to Blueprints.
  • Navigate to the Network Visibility and Policy section and enable it
  • Click Add Policy and add the cluster-wide policies with the corresponding version
  • Delete a cluster-wide policy from the blueprint by simply clicking the delete icon next to the policy you want to delete.
  • Click Save Changes

Update Blueprint with Cluster-Wide Policy

Important

If the pods in your cluster have been existing pre-deployment of Cilium/network policy management service being enabled in the blueprint, you must RESTART your pods for the policies to take effect