Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply security policy to Antrea Container Clusters #1230

Open
kumarm2024 opened this issue Jun 11, 2024 · 3 comments
Open

Apply security policy to Antrea Container Clusters #1230

kumarm2024 opened this issue Jun 11, 2024 · 3 comments
Assignees
@salv-orlando
Labels
enhancement Enhancement
Milestone
v3.9.0

Comments

@kumarm2024
Copy link

Is your feature request related to a problem? Please describe.

I wanted to apply security policy to Antrea Container Cluster. At present there is no option available to apply this by using terraform.

Describe the solution you'd like

There should be option to apply security policy to Container Cluster. At the moment we can apply security policy to the policy groups using scope argument.

Solution I would like to have, there should be a way where l can define Antrea cluster in the policy scope

Describe alternatives you've considered

No response

Additional context

No response
@kumarm2024 kumarm2024 added the enhancement Enhancement label Jun 11, 2024
@annakhm
Copy link
Collaborator

annakhm commented Jun 11, 2024

Hello @kumarm2024, in the group resource, you have the option to define member_type arguments that are specific to Kubernetes and Antrea: https://registry.terraform.io/providers/vmware/nsxt/latest/docs/resources/policy_group#member_type
Would this satisfy your ask or is there anything else missing?

@kumarm2024
Copy link
Author

kumarm2024 commented Jun 12, 2024
edited
Loading

@annakhm thanks for reply, I guess you are taking about "policy group" resource which I know we can create Antrea group with the "member_type" argument.
My question is how we going to create security policy resource which will target to Antrea Cluster itself:

So I was talking about "nsxt_policy_security_policy" resource. What to define in "scope" argument so that it apply to Antrea Container Cluster (Rather than group) - I want to target Antrea Container Cluster not group
image

Let me give you example:

I have created two group group1 and group2 as below :
resource "nsxt_policy_group" "group1" {
display_name = "group1"
description = "Terraform provisioned Group"
group_type = "ANTREA"

criteria {
condition {
key = "Name"
member_type = "Namespace"
operator = "EQUALS"
value = "test1"
}
}
}

resource "nsxt_policy_group" "group2" {
display_name = "group2"
description = "Terraform provisioned Group"
group_type = "ANTREA"

criteria {
condition {
key = "Name"
member_type = "Namespace"
operator = "EQUALS"
value = "test2"
}
}
}

Now I want to create policy and rule which will drop traffic from group1 to group2:

resource "nsxt_policy_security_policy" "test-policy" {
display_name = "test-policy"
description = "Terraform provisioned Security Policy"
category = "Application"
locked = false
stateful = true
tcp_strict = false
scope = ?????????????? What to define here so that it apply to Antrea Container Cluster ?

rule {
display_name = "drop"
source_groups = [nsxt_policy_group1.path]
destination_groups = null # empty destination refers to all
scope = [nsxt_policy_group2.path]
action = "DROP"
logged = true
}
}

@salv-orlando salv-orlando self-assigned this Aug 9, 2024
@salv-orlando salv-orlando added this to the v3.8.0 milestone Aug 9, 2024
@salv-orlando salv-orlando modified the milestones: v3.8.0, v3.9.0 Dec 13, 2024
@salv-orlando
Copy link
Member

Moving to 3.9.0 as we're getting close to the 3.8.0 release and will need more time to work on this enhancement

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@salv-orlando salv-orlando

Labels
enhancement Enhancement
Projects
None yet
Milestone
v3.9.0
Development

No branches or pull requests
3 participants
@salv-orlando @annakhm @kumarm2024