DOCS-550-Update-default-deny #1230
Conversation
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
✅ Deploy Preview succeeded!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
@fasaxc Ideally, we should have an OSS version of this doc (https://docs.tigera.io/calico-enterprise/3.18/network-policy/default-deny), but it would take more work. Consider this a short-term fix. |
|
|
||
| We recommend creating an implicit default deny policy for your Kubernetes pods, regardless of whether you use {{prodname}} or Kubernetes network policy. This ensures that unwanted traffic is denied by default. Note that implicit default deny policy always occurs last; if any other policy allows the traffic, then the deny does not come into effect. The deny is executed only after all other policies are evaluated. | ||
| We recommend that you create a {{prodname}} default deny policy (network policy with a `Deny` rule) for your Kubernetes pods shortly after installing {{prodname}}. This policy prevents pods without policy, incorrect policy, empty policy, and {{prodname}} policy for non-workload endpoints, from allowing traffic until you can put policies in place and test them. After you write policy for the traffic that you want to allow in the cluster, we recommend that you create a *global default deny policy* to secure your deployment. In short, creating a default deny policy covers security gaps without you having to remember default deny/allow behavior of Kubernetes and {{prodname}} policies. |
There was a problem hiding this comment.
The example below doesn't agree with this. Here it says "with a Deny rule" but below, there is no Deny rule. The policy below has no rules at all!
That's because the policy below is only added for its side effect... The default policy action (allow/deny) is:
- Allow, if your workload has no policy at all.
- Deny, if your policy has any policy at all.
Adding an empty policy has the side effect of triggering the above "Deny, if your policy has any policy at all" but the policy has no rules in it, so it doesn't matter what order it has because no packets can ever match the policy, only its side-effect.
bmckercher123
force-pushed
the
DOCS-550-Implicit-default-deny
branch
from
8659baa to
48a9505
Compare
|
@fasaxc Your last comment reminded me why this doc required a total rewrite (not just a quick fix). I've rewritten the doc based on this CE doc (https://docs.tigera.io/calico-enterprise/latest/network-policy/default-deny). The CE doc refers to using staged policy so I just reworded to "test environment." |
|
@fasaxc PTAL. Looks like Barbara pushed a revision to your latest comment. If this is good now, I'll merge and make the same changes to other OSS versions. |
|
Closing and replacing with #1371 |
Fix wording around default deny policy for OSS.
Product Version(s):
All OSS active versions
Issue:
https://tigera.atlassian.net/browse/DOCS-550 and discussion: https://tigera.slack.com/archives/CGMG75AUV/p1656880509050909
Link to docs preview:
https://deploy-preview-1230--tigera.netlify.app/calico/latest/network-policy/get-started/kubernetes-default-deny
SME review:
DOCS review:
Additional information:
Merge checklist: