You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/usage.md
+14-1Lines changed: 14 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -107,6 +107,8 @@ clusters:
107
107
|`netbird.io/policy`| Name(s) of NBPolicy to propagate service ports as destination. ||Comma-separated list of names of any NBPolicy resource|
108
108
|`netbird.io/policy-ports`| Narrow down exposed ports in a policy. Leave empty for all ports. ||Comma-separated integer list, integers must be between 0-65535|
109
109
|`netbird.io/policy-protocol`| Narrow down protocol for use in a policy. Leave empty for all protocols. ||(`tcp`,`udp`)|
110
+
|`netbird.io/policy-source-groups`| Specify source groups for auto-generated policies. Required for auto-generating policies||Any comma-separated list of strings.|
111
+
|`netbird.io/policy-name`| Specify human-friendly names for auto-generated policies. ||comma-separated list of `policy:friendly-name`, where policy is the name of the kubernetes object.|
110
112
111
113
Example service:
112
114
```yaml
@@ -159,6 +161,10 @@ spec:
159
161
160
162
### Managing Policies
161
163
164
+
Policies can be either created through the Helm chart or they can be auto-generated from Service annotation definitions.
165
+
166
+
#### Helm
167
+
162
168
Simply add policies under `ingress.policies`, for example:
163
169
1. Add the following configuration in your `values.yaml` file.
164
170
```yaml
@@ -180,7 +186,14 @@ ingress:
180
186
3. (Optional) Limit specific ports in exposed service by adding `netbird.io/policy-ports=443`.
181
187
4. (Optional) Limit specific protocol in exposed service by adding `netbird.io/policy-protocol=tcp`.
182
188
183
-
#### Notes
189
+
#### Auto-Generated Policies
190
+
191
+
1. Ensure `ingress.allowAutomaticPolicyCreation` is set to true in the Helm chart and apply.
192
+
2. Annotate a service with `netbird.io/policy` with the name of the policy as a kubernetes object, for example `netbird.io/policy: default`. This will create an NBPolicy with the name `default-<Service Namespace>-<Service Name>`.
193
+
3. Annotate the same service with `netbird.io/policy-source-groups` with a comma-separated list of group names to allow as a source, for example `netbird.io/policy-source-groups: dev`.
194
+
4. (Optional) Annotate the service with `netbird.io/policy-name` for a human-friendly name, for example `netbird.io/policy-name: "default:Default policy for kubernetes cluster"`.
195
+
196
+
#### Notes on Policies
184
197
* Each NBPolicy will only create policies in the NetBird console when the information provided is enough to create one. If no services act as a destination or specified services do not conform to the protocol(s) defined, the policy will not be created.
185
198
* Each NBPolicy will create one policy in the NetBird console per protocol specified as long as the protocol has destinations; this ensures better-secured policies by separating ports for TCP and UDP.
186
199
* Policies currently do not support ICMP protocol, as ICMP is not supported in Kubernetes services, and there are [no current plans to support it](https://discuss.kubernetes.io/t/icmp-support-for-kubernetes-service/21738).
0 commit comments