You can export the recommended network policy rules related to Kubernetes objects in the YAML format. VMware Aria Operations for Networks supports exporting to YAML format for the group by Namespace and group by Service topologies only.

Prerequisites

Procedure

  1. To export the recommended rules to YAML format, on the Plan Security model, select your Kubernetes cluster for which you wish to plan security, and perform one of the steps.
    • Expand more options in the Micro-Segments widget and select Export Rules as YAML, or
    • Select a node on the Micro-Segments wheel view, click on the count of Recommended Firewall Rules, expand more options and select Export Rules as YAML.
    VMware Aria Operations for Networks downloads a ZIP file named with the Kubernetes Network Policies and a timestamp associated with it. When you unzip the file, you see the following five CSV files and also multiple folders depending on the number of clusters. Each folder will contain multiple YAML files for the cluster.
    File Name Description
    network-policy-others-ipaddress.csv Contains the IP addresses of the physical servers and virtual machine with which the services or namespaces are communicating.
    recommended-namespace-labels-to-add.csv Contains the labels to be attached to the pods associated with the namespace.

    Example:

    • Cluster - pdk8s
    • Namespace - sock-shop
    • Label - sock-shop-pdk8s
    recommended-service-labels-to-add.csv Contains the labels to be attached to the pods associated with the service.

    Example:

    • Cluster - pdk8s
    • Namespace - sock-shop
    • Service - front-end
    • Label - Service:front-sock-shop-pdk8s
    • Cluster - pdk8s
    • Namespace - sock-shop
    • Service - user
    • Label - Service:user-sock-shop
    recommended-network-policy.csv Contains all the rules recommended by VMware Aria Operations for Networks.
    exported-network-policy-rule-names.csv Lists all the network policies exported based on the recommended rules.
  2. To apply the service labels, perform the following steps:
    1. Run the following Kubernetes CLI command.
      kubectl edit deployment service-name -n namespace-name
      kubectl edit deployment redis-primary -n guestbook
      The deployment file of the service opens.
    2. In the service label list, append the label which has been suggested in the CSV file, to the labels mentioned in the spec section of service deployment.
  3. To apply the namespace labels, perform the following steps:
    1. Run the following Kubernetes CLI command.
      kubectl edit namespace namespace-name
      kubectl edit namespace guestbook
      The deployment file of the namespace opens.
    2. In the metadata , append the label which has been suggested in the CSV file, to the labels mentioned in the spec section of namespace deployment.
  4. Run the following command to verify whether the labels are applied to the pods.
    kubectl get pods -n namespace-name--show-labels
    kubectl get pods guestbook--show-labels
    See the labels in the result view.
    Note: The labels are not reflected on Pods, when you apply on Namespace.
  5. To create the network policies, copy the YAML files from the respective cluster folder to another folder and run either of the commands:
    • kubectl apply -f <folder-name>/ - to apply all the firewall rules together.
    • kubectl apply -f <folder-name>/<firewall-rule>.yaml - to apply firewall rules one by one