Rancher allows users to configure a network policy within an environment. A network policy allows you to define specific networking rules within the environment. By default, all containers are able to communicate with each other, but there may be restrictions that you want to place on your containers.
When setting up an environment template, you can enable the Network Policy Manage item.
Alternatively, if you already have an environment set up, you can select and launch the Network Policy Manager from the Rancher catalog.
Note: Network Policy Manager is currently only compatible with an environment using the Cattle container orchestration. Environment templates will restrict which ones are compatible based on orchestration, but all options are available from the catalog.
Network policy settings can be configured for each environment by navigating to the environment’s settings page. You can navigate to the environments’s settings page by clicking on Manage Environments option from the dropdown menu. Click on the edit icon next to the environment you want to set a network policy on.
There are four options in the UI to control the network traffic between containers. Allow permits network traffic to occur where as Deny restricts network traffic.
A normal use case would be to select Deny for Everything Else and select Allow for the other options.
Note: The rules are applied in the left to right order.
In the network resource, there is a defaultPolicyAction and a policy field that define how the communication between containers work. The policy field is an ordered array of network policy rules. Using Rancher’s API, you can manage the network policy for the environment.
In order to manage your network policy, you will need to find the Network resource. As a network is part of an environment, the endpoint to find networks will be:
http://<RANCHER_SERVER_IP>/v2-beta/projects/<PROJECT_ID>/networks/<NETWORK_ID>`
How to find the endpoint for your network:
Note:
Environmentin the UI is aprojectin the API.
ipsec. Click on the self link for the network.defaultPolicyAction, you can change the default policy and in the policy field, you can manage your network policy rules.By default, all containers are enabled and allowed to communicate with each other. In the API, you will see that the defaultPolicyAction has been set to allow.
To change the default policy to deny communication between all containers, you would need to edit the defaultPolicyAction to be deny.
Network policy rules set container communication for specific sets of containers.
Assumption: Service A is linked to service B.
To enable containers of service A to be able to communicate with service B:
{
"within": "linked",
"action": "allow"
}
Note: Containers of service B will not be able to initiate a connection to service A.
To disable containers of service A to be able to communicate with service B:
{
"within": "linked",
"action": "deny"
}
Any network policy rule for linked services apply to all linked services in an environment.
To enable communication between containers only within the same service:
{
"within": "service",
"action": "allow"
}
To disable communication between containers within the same service:
{
"within": "service",
"action": "deny"
}
To enable communication between containers only within the same stack:
{
"within": "stack",
"action": "allow"
}
To disable communication between containers within the same stack:
{
"within": "stack",
"action": "deny"
}
To enable communication between containers based on their label values:
{
"between": {
"groupBy": "<KEY_OF_LABEL>"
},
"action": "allow"
}
To disable communication between containers based on their label values:
{
"between": {
"groupBy": "<KEY_OF_LABEL>"
},
"action": "deny"
}
No containers can communicate with any other container in the environment.
defaultActionPolicy to deny.Containers within the same stack are only allowed to communicate with each other, but the container cannot communicate with any containers in other stacks.
defaultActionPolicy to deny.policy:{
"within": "stack",
"action": "allow"
}
Containers with matching labels can communicate with other matching labels. The rule uses the key of the label to group which containers can communicate with each other.
Let’s assume we have the following set of stacks in the environment.
stack_one:
service_one:
label: com.rancher.department = qa
service_two:
label: com.rancher.department = engineering
service_three:
label: com.rancher.location = cupertino
stack_two:
service_one:
label: com.rancher.department = qa
service_two:
label: com.rancher.location = cupertino
stack_three:
service_one:
label: com.rancher.department = engineering
service_two:
label: com.rancher.location = phoenix
Communication between only containers of with the same com.rancher.department label.
defaultActionPolicy to deny.policy:{
"between": {
"groupBy": "com.rancher.department"
},
"action": "allow"
}
There are two distinct label pairs with the same key (i.e. com.rancher.department).
com.rancher.department = engineering would be able to communicate with each other, but no other container. In our example, any containers from stack_one.service_two and stack_three.service_one would be able to communicate to each other, but no other containers.com.rancher.department = qa would be able to communicate with each other but no other container. In this example, any containers from stack_one.service_two and stack_two.service_two would be able to communicate with each other, but no other containers.com.rancher.department would not be able to communicate with any other containers.