Add tiered policies to Calico OSS #1699
Conversation
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
✅ Deploy Preview succeeded!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
calico-enterprise/network-policy/policy-tiers/tiered-policy.mdx
Outdated
Show resolved
Hide resolved
| @@ -94,7 +102,7 @@ In the example above, tier priorities are as follows: | |||
|
|
|||
| - **security tier** - is higher priority than platform tier | |||
| - **platform tier** - is higher priority than default tier | |||
| - **default tier** - is always the last tier and cannot be reordered | |||
| - **default tier** - is the lowest priority than the rest | |||
There was a problem hiding this comment.
| - **default tier** - is the lowest priority than the rest | |
| - **default tier** - is the lowest priority. |
Previously, is could not be reordered, now it has an order. Can it be reordered? If yes, it would be worth to say that "previously it could not be reordered. It can be now, but we advise against that" or something similar?
There was a problem hiding this comment.
No, the default tier must have the order of 1M. It cannot be reordered. Previously, it had an order of nil, and now it is 1M and it cannot change. Also any tier with nil order will be treated as 1M.
We will add a release note to warn customers about the change.
calico-enterprise/network-policy/policy-tiers/tiered-policy.mdx
Outdated
Show resolved
Hide resolved
calico-enterprise/network-policy/policy-tiers/tiered-policy.mdx
Outdated
Show resolved
Hide resolved
calico-enterprise/network-policy/policy-tiers/tiered-policy.mdx
Outdated
Show resolved
Hide resolved
| @@ -28,7 +28,7 @@ Policies in each Tier are then processed in order. | |||
| - If a [NetworkPolicy](networkpolicy.mdx) or [GlobalNetworkPolicy](globalnetworkpolicy.mdx) in the Tier `Allow`s or `Deny`s the packet, then evaluation is done: the packet is handled accordingly. | |||
| - If a [NetworkPolicy](networkpolicy.mdx) or [GlobalNetworkPolicy](globalnetworkpolicy.mdx) in the Tier `Pass`es the packet, the next Tier containing a Policy that applies to the endpoint processes the packet. | |||
|
|
|||
| If the Tier applies to the endpoint, but takes no action on the packet the packet is dropped. | |||
| If the Tier applies to the endpoint, but takes no action on the packet the packet is dropped by default. This behaviour can be changed by setting the `defaultAction` to `Pass` for a tier. | |||
There was a problem hiding this comment.
| If the Tier applies to the endpoint, but takes no action on the packet the packet is dropped by default. This behaviour can be changed by setting the `defaultAction` to `Pass` for a tier. | |
| If the Tier applies to the endpoint, but takes no action on the packet the packet is dropped by. This behaviour can be changed by setting the `defaultAction` to `Pass` for a tier. |
Perhaps chance to clarify If the Tier applies to the endpoint as I was confused what it mean myself. It means that that tier contains a rule that applies to an endpoint? How can it apply to an endpoint and not to take an action? Example?
There was a problem hiding this comment.
This page is about documenting the resource itself. I believe it should be short and to the point. There is more description about this topic in the tiered policy page: https://docs.tigera.io/calico-enterprise/latest/network-policy/policy-tiers/tiered-policy#default-endpoint-behavior
| description: Configure RBAC to control access to policies and tiers. | ||
| --- | ||
|
|
||
| # Configure RBAC for tiered policies |
There was a problem hiding this comment.
I suppose this is just a plain copy from EE, isn't it?
How does the RBAC play with ANP tier? Is there some RBAC created by default or do kubernetes handle it on their own? Idk how it works, just double checking here!
There was a problem hiding this comment.
Yes, this is just a copy from EE.
ANP design states the API is for cluster administrators. This is not something we enforce though. We provide Tier's RBAC for users to configure the access, so in the end it's up to users to setup the access properly.
|
|
||
| ## The default tier: | ||
|
|
||
| The default tier is created during installation and has the order of 1,000,000. |
There was a problem hiding this comment.
| The default tier is created during installation and has the order of 1,000,000. | |
| The default tier is created during installation and has the order of 1,000,000. The desire is to evaluate policies in the default tier as last. |
I meantioned it before, but worth spelling it out explicitly whether the order can by changed.
| <!--TODO-XREF-CC | ||
| If the last Tier applying to the endpoint `Pass`es the packet, that endpoint's [Profiles](/reference/resources/profile) are evaluated. | ||
| --> | ||
| If the last Tier applying to the endpoint `Pass`es the packet, that endpoint's [Profiles](profile.mdx) are evaluated. |
There was a problem hiding this comment.
This xref breaks the build. An example of a file from the CE docs that doesn't exist in CC.
Co-authored-by: Tomas Hruby <[email protected]>
Fixes link error and adds OSS tier docs to sidebars
| @@ -62,6 +62,10 @@ The default tier is where: | |||
| - Network and global network policies are placed when you upgrade from Project Calico to {{prodname}} | |||
| - Recommended policies are placed when you use the **Recommend a policy** feature | |||
|
|
|||
| ## AdminNetworkPolicy tier: | |||
|
|
|||
| The AdminNetworkPolicy tier where all [Kubernetes admin network policies](https://network-policy-api.sigs.k8s.io/reference/examples/) reside. It is automatically created during installation and has the order of 1,000. This value is fixed, and cannot be changed. | |||
There was a problem hiding this comment.
| The AdminNetworkPolicy tier where all [Kubernetes admin network policies](https://network-policy-api.sigs.k8s.io/reference/examples/) reside. It is automatically created during installation and has the order of 1,000. This value is fixed, and cannot be changed. | |
| The AdminNetworkPolicy tier is where all [Kubernetes admin network policies](https://network-policy-api.sigs.k8s.io/reference/examples/) reside. It is automatically created during installation and has the order of 1,000. This value is fixed, and cannot be changed. |
| @@ -86,21 +90,21 @@ Now you can reorder tiers by dragging and moving them. | |||
|
|
|||
| ## Tier order | |||
|
|
|||
| Tiers are ordered from left to right, starting with the highest priority (also called highest precedence) tiers. | |||
| Tiers are ordered based on their orders (from left to right), starting from the lowest order (the highest priority) tiers. | |||
There was a problem hiding this comment.
| Tiers are ordered based on their orders (from left to right), starting from the lowest order (the highest priority) tiers. | |
| Tiers are sorted by their orders (from left to right), starting from the lowest order (the highest priority) tiers. |
|
|
||
| ## AdminNetworkPolicy tier: | ||
|
|
||
| The AdminNetworkPolicy tier where all [Kubernetes admin network policies](https://network-policy-api.sigs.k8s.io/reference/examples/) reside. It is automatically created during installation and has the order of 1,000. This value is fixed, and cannot be changed. |
There was a problem hiding this comment.
| The AdminNetworkPolicy tier where all [Kubernetes admin network policies](https://network-policy-api.sigs.k8s.io/reference/examples/) reside. It is automatically created during installation and has the order of 1,000. This value is fixed, and cannot be changed. | |
| The AdminNetworkPolicy tier is where all [Kubernetes admin network policies](https://network-policy-api.sigs.k8s.io/reference/examples/) reside. It is automatically created during installation and has the order of 1,000. This value is fixed, and cannot be changed. |
|
@tmjd There are some changes here to the CC tiers docs. They appear to be removing innocuous diffs between the CE and CC versions. But might be a good idea for you do take a quick pass at the changes here to see if anything is wrong for CC. |
| --user=<USER\> | ||
| ``` | ||
|
|
||
| ### Create minimum permissions for all non-Admin users |
There was a problem hiding this comment.
This section discusses the UI. Not sure how much needs removing. What do you think?
There was a problem hiding this comment.
I believe we can remove the whole section.
| description: Configure RBAC to control access to policies and tiers. | ||
| --- | ||
|
|
||
| # Configure RBAC for tiered policies |
|
@ctauchen I don't see anything that should be different for Calico Cloud. |
|
LGTM |
Doc changes related to:
defaultAction: Introduce default action in tiers projectcalico/calico#9232Product Version(s): Calico v3.29, Calico Enterprise v3.20.2
Issue:
Link to docs preview:
SME review:
DOCS review:
Additional information:
Merge checklist: