Red Hat SummitThis documentation is for a release that is no longer maintained.
You can select a different version or view all RHACS documentation.Chapter 6. Generating build-time network policies
The build-time network policy generator is included in the roxctl CLI. For the build-time network policy generation feature, roxctl CLI does not need to communicate with RHACS Central so you can use it in any development environment.
6.1. Using the build-time network policy generator
Prerequisites
-
The build-time network policy generator recursively scans the directory you specify when you run the command. Therefore, before you run the command, you must already have service manifests, config maps, and workload manifests such as
Pod,Deployment,ReplicaSet,Job,DaemonSet, andStatefulSetas YAML files in the specified directory. -
Verify that you can apply these YAML files as-is using the
kubectl apply -fcommand. The build-time network policy generator does not work with files that use Helm-style templating. Verify that the service network addresses are not hardcoded. Every workload that needs to connect to a service must specify the service network address as a variable. You can specify this variable by using the workload’s resource environment variable or in a config map.
Service network addresses must match the following official regular expression pattern:
(http(s)?://)?<svc>(.<ns>(.svc.cluster.local)?)?(:<portNum>)?
(http(s)?://)?<svc>(.<ns>(.svc.cluster.local)?)?(:<portNum>)?1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- In this pattern,
- <svc> is the service name.
- <ns> is the namespace where you defined the service.
- <portNum> is the exposed service port number.
Following are some examples that match the pattern:
-
wordpress-mysql:3306 -
redis-follower.redis.svc.cluster.local:6379 -
redis-leader.redis -
http://rating-service.
Procedure
Verify that the build-time network policy generation feature is available by running the help command:
roxctl netpol generate -h
$ roxctl netpol generate -hCopy to Clipboard Copied! Toggle word wrap Toggle overflow Generate the policies by using the
netpol generatecommand:roxctl netpol generate <folder-path>
$ roxctl netpol generate <folder-path>1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Specify the path of the folder that has the Kubernetes manifests.
The roxctl netpol generate command supports the following options:
|
| Description |
|
|
View the help text for the |
|
| Save the generated policies into a target folder. One file per policy. |
|
| Save and merge the generated policies into a single YAML file. |
|
|
Fail on the first encountered error. The default value is |
|
| Remove the output path if it already exist. |
|
|
Treat warnings as errors. The default value is |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}