Getting started guide for the host firewall#12537
Merged
Conversation
34 tasks
5839b28 to
502cc53
Compare
joestringer
requested changes
Jul 15, 2020
Member
joestringer
left a comment
There was a problem hiding this comment.
Awesome guide, thanks.
I didn't try it out, but I noticed some issues that may cause problems for users. I also gave some wordsmithing suggestions below.
502cc53 to
127f1bc
Compare
First version of the host firewall GSG. I still want to extend it with a more extensive troubleshooting section than we have in Network Policy > Host Policies (or I'll add a section in Troubleshooting for the host firewall). I may also extend the GSG later to include some example of policies on path hostns <-> pods. Fixes: #12278 Signed-off-by: Paul Chaignon <paul@cilium.io>
We need to remove it from the title or otherwise it is included wherever
we reference host policies with:
:ref:`HostPolicies`
There is already a note on the beta status below the title anyway.
Signed-off-by: Paul Chaignon <paul@cilium.io>
Host examples are now hosted in examples/policies/host. Signed-off-by: Paul Chaignon <paul@cilium.io>
To be on the safe side and avoid breaking the cluster, we can allow remote nodes and the health endpoint. Without this, we will at least drop some ICMP probes. Signed-off-by: Paul Chaignon <paul@cilium.io>
Relying on node labels to apply the host policy in the host firewall getting started guide allows us to include fully working commands throughout the guide. Without this, commands cannot include the 'kubectl exec' part because we don't know on what node and cilium pod the user is executing them. Signed-off-by: Paul Chaignon <paul@cilium.io>
127f1bc to
2af7ceb
Compare
Member
Author
|
I've addressed the last review comments in the last branch update. It includes one new commit to address #12537 (comment) and allow us to explicitly state each command that needs to be executed in full (including |
joestringer
approved these changes
Jul 17, 2020
Member
joestringer
left a comment
There was a problem hiding this comment.
Looks good, didn't try it out yet.
qmonnet
approved these changes
Jul 17, 2020
Member
Author
|
Reviews are in and documentation tests passed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
First version of the host firewall getting started guide (GSG). I still want to extend it with a more extensive troubleshooting section than we have in
Network Policy > Host Policies(or I'll add a section inTroubleshootingfor the host firewall). I may also extend the GSG later to include some example of policies on path hostns <-> pods.Fixes: #12278
Updates: #11799