To secure traffic between Pods in an Antrea container cluster, you can create Distributed Firewall policies (security policies) in NSX and apply them to one or more Antrea container clusters.
Prerequisites
Antrea container clusters are registered to NSX.
Procedure
Results
- Antrea network plug-in creates a Cluster Network Policy corresponding to each Distributed Firewall policy that is applied to the Antrea container clusters.
- If the rules contain sources, corresponding Ingress rules are created in the Antrea Cluster Network Policy.
- If the rules contain destinations, corresponding Egress rules are created in the Antrea Cluster Network Policy.
- If the rules contain Any-Any configuration, Antrea Controller in the cluster splits the Any-Any rule into two rules: One Ingress rule with Any to Any, and another Egress rule with Any to Any.
What to do next
After the security policies are successfully realized in the Antrea container clusters, you can do the following optional tasks:
- Verify that the Antrea Cluster Network Policies are shown in the container clusters. Run the following kubectl command in each Antrea container cluster:
$ kubectl get acnp
Note: The priority parameter in the Antrea Cluster Network Policies shows a float value. This result is expected. NSX Manager UI does not display the priority of the Distributed Firewall policies. NSX internally assigns an integer value to the priority of each policy. This integer value is assigned from a large range. But, Antrea network plug-in assigns a smaller float number (absolute value) to the priority of Antrea Cluster Network Policies. Therefore, the NSX priority values are internally normalized to smaller float numbers. However, the order in which you add the policies in a Distributed Firewall Category is preserved for the Antrea Cluster Network Policies.You can also view the details of the Antrea Cluster Network Policies in the NSX inventory. In NSX Manager, navigate to, . Expand the cluster name and click the number next to Cluster Network Policies to view the details of the policies, including the YAML specifications.
- View policy statistics by using the NSX API:
GET https://{nsx-mgr-ip}/api/v1/infra/domains{domain-id}/security-policies/{security-policy-name}/statistics?container_cluster_path=/infra/sites/{site-id}/enforcement-points/{enforcement-point-id}/cluster-control-planes/{cluster-name}
- View runtime rule statistics in the UI:
- In NSX Manager, navigate to .
- Expand the policy name, and then click the graph icon at the extreme right corner of each rule.
- Select the container cluster from the drop-down menu to view the rule statistics for each container cluster.
The statistics of the rule are computed separately for each container cluster where the rule is enforced. The statistics are not aggregated for all the container clusters and displayed in the UI. The rule statistics are computed every minute.