This page provides instructions to configure intra-project traffic network policies in Google Distributed Cloud (GDC) air-gapped.
Project network policies define either ingress or egress rules. You can you define policies that allow communication within projects, between projects, and to external IP addresses.
If intra-project traffic enforcement is needed within a single zone, see Create workload-level network policies.
Before you begin
To configure intra-project traffic network policies, you must have the following:
- The necessary identity and access roles. For more information, see Prepare predefined roles and access.
- An existing project. For more information, see Create a project.
Create an intra-project traffic policy
For traffic within a project, GDC applies a predefined project network policy, the intra-project policy, to each project by default. By default, workloads in a project namespace have the ability to communicate with each other without exposing anything to external resources.
By default, there is no egress policy, so outbound traffic is allowed for all intra-project traffic. However, when you set a single egress policy, only the traffic that the policy specifies is allowed.
Ingress intra-project traffic network policy
When you create a project, you implicitly create a default base
ProjectNetworkPolicy resource that allows intra-project communication. This policy
allows inbound traffic from other workloads in the same project.
You can remove the default policy, but be aware that this removal results in denying intra-project communication for all services and workloads within the project.
Create a global egress intra-project traffic network policy
Specify a global policy to apply this project network policy to all zones in the universe. For more information on global resources in a GDC universe, see Multi-zone overview.
When you disable data exfiltration prevention
and apply a ProjectNetworkPolicy egress policy to the project, such as
preventing access to an external resource, use the following required policy to allow
intra-project outbound traffic:
kubectl --kubeconfig GLOBAL_API_SERVER apply -f - <<EOF
apiVersion: networking.global.gdc.goog/v1
kind: ProjectNetworkPolicy
metadata:
namespace: PROJECT
name: allow-intra-project-outbound-traffic
spec:
policyType: Egress
egress:
- to:
- projectSelector:
projects:
matchNames:
- PROJECT
EOF
Replace the following:
GLOBAL_API_SERVER: the global API server's kubeconfig path. For more information, see Global and zonal API servers. If you have not yet generated a kubeconfig file for the API server, see Sign in for details.PROJECT: the name of the project where you want to allow intra-project outbound traffic.