To secure traffic between pods in an Antrea Kubernetes cluster, you can create distributed firewall policies (security policies) in NSX and apply them to one or more Antrea Kubernetes clusters.
The UI use the term "Antrea container cluster" for a few UI fields or labels. In the Procedure section of this documentation, the term "Antrea container cluster" is retained for those UI fields or labels. For all free-form text, the term "Antrea Kubernetes cluster" is used.
Prerequisites
Antrea Kubernetes clusters are registered to NSX.
Procedure
Results
- Antrea network plug-in creates a cluster network policy corresponding to each distributed firewall policy that is applied to the Antrea Kubernetes clusters.
- If the rules contain sources, corresponding ingress rules are created in the Antrea Cluster Network Policy.
- If the rules contain destinations, corresponding egress rules are created in the Antrea Cluster Network Policy.
- If the rules contain Any-Any configuration, Antrea Controller in the cluster splits the Any-Any rule into two rules: One ingress rule with Any to Any, and another egress rule with Any to Any.
What to do next
After the security policies are successfully realized in the Antrea Kubernetes clusters, you can do the following optional tasks:
- Verify that the Antrea cluster network policies are shown in the Kubernetes clusters. Run the following kubectl command in each Antrea Kubernetes cluster:
$ kubectl get acnp
Note: The priority parameter in the Antrea cluster network policies shows a float value. This result is expected. NSX Manager UI does not display the priority of the distributed firewall policies. NSX internally assigns an integer value to the priority of each policy. This integer value is assigned from a large range. But, Antrea network plug-in assigns a smaller float number (absolute value) to the priority of Antrea cluster network policies. Therefore, the NSX priority values are internally normalized to smaller float numbers. However, the order in which you add the policies in a distributed firewall category is preserved for the Antrea cluster network policies.You can also view the details of the Antreacluster network policies in the NSX inventory. In NSX Manager, navigate to, . Expand the cluster name and click the number next to Cluster Network Policies to view the details of the policies, including the YAML specifications.
- View policy statistics by using the NSX API:
GET https://{nsx-mgr-ip}/api/v1/infra/domains{domain-id}/security-policies/{security-policy-name}/statistics?container_cluster_path=/infra/sites/{site-id}/enforcement-points/{enforcement-point-id}/cluster-control-planes/{cluster-name}
- View runtime rule statistics in the UI:
- In NSX Manager, navigate to .
- Expand the policy name, and then click the graph icon at the extreme right corner of each rule.
- Select the Kubernetes cluster from the drop-down menu to view the rule statistics for each Kubernetes cluster.
The statistics of the rule are computed separately for each Kubernetes cluster where the rule is enforced. The statistics are not aggregated for all the Kubernetes clusters and displayed in the UI. The rule statistics are computed every minute.