Any existing pods/workloads prior to to sidecar injection being enabled must be RESTARTED in order for policies to take effect. When sidecar injection is disabled, pods/workloads must be RESTARTED for the sidecars to no longer run.
Org Admin or Project Admin or Workspace Admin role is required to create and use service mesh namespace policies.
A namespace-wide policy is a bundle of service mesh rules that can be applied to one or more namespaces. An example use case for a namespace policy is configuring traffic routing for the purposes of A/B testing or staged roll outs.
Managing Namespace Policies¶
Creating a Namespace Policy¶
In order to create a namespace policy, you must add namespace-scoped policy rules to it.
- Login to the controller and under Service Mesh, navigate to the Policies screen. Select the namespace tab and click new policy
- Give a name for the policy and click Create
- Provide a version name
- Click Add Rules and add your namespace-scoped rules with the corresponding version you want to use
- Click Save Changes
Rules can be added to or removed from a policy using the same workflow. A new version needs to be created every time a policy is updated.
Using Namespace Policies¶
Namespaces Policies are added to/removed namespaces by doing the following:
- Login to the controller and navigate to Namespaces
- Select the namespace that you want to apply the namespace policy/policies to, and click edit
- Under the Configuration tab, navigate to Service Mesh Policies
- Enable sidecar injection
- To add namespace policies, select from the dropdown and select the corresponding version to use
- To remove a namespace policy, simply hit the delete icon to the right of the policy
- Click Save and navigate to placement
- Select the clusters and click republish.