Create workload-level network policies

This page provides instructions to configure workload-level network policies in Google Distributed Cloud (GDC) air-gapped.

Workload-level network policies offer granular control over communication between individual workloads within a project. This granularity allows stricter control of network access, improving security and resource use.

Workload-level network policies can enforce PNP along a single zone. Specific labels can be added to workloads within a single zone, allowing you to control communication between individual workloads within a project or in different projects for that zone. For more information, see Single zone workload-level network policy.

Create a workload-level intra-project traffic policy

You can create a workload-level intra-project traffic policy to enable or disable network access for traffic between workloads within a project.

Ingress workload-level intra-project traffic network policy

When you create a project, you implicitly create a default base ProjectNetworkPolicy resource that allows intra-project communication between all workloads. This policy allows inbound traffic from other workloads in the same project.

To create a workload-level intra-project traffic policy, the default base policy must first be deleted. Otherwise, unexpected behavior may occur.

1. To delete the default base policy, run the following command:

   kubectl --kubeconfig GLOBAL_API_SERVER delete pnp base-policy-allow-intra-project-traffic -n PROJECT
   

2. To create an ingress workload-level intra-project traffic network policy, create and apply the following custom resource:

   kubectl --kubeconfig GLOBAL_API_SERVER apply -f - <<EOF
   apiVersion: networking.global.gdc.goog/v1
   kind: ProjectNetworkPolicy
   metadata:
     namespace: PROJECT
     name: allow-intra-project-inbound-traffic-from-target-to-subject
   spec:
     policyType: Ingress
     subject:
       subjectType: UserWorkload
       workloadSelector:
         matchLabels:
           SUBJECT_LABEL_KEY: SUBJECT_LABEL_VALUE
     ingress:
     - from:
       - projectSelector:
           projects:
             matchNames:
             - PROJECT
           workloads:
             matchLabels:
               TARGET_LABEL_KEY: TARGET_LABEL_VALUE
   EOF
   

   Replace the following:

   • GLOBAL_API_SERVER: the global API server's kubeconfig path. For more information, see Global and zonal API servers. If you have not yet generated a kubeconfig file for the API server, see Sign in for details.
   • PROJECT: the name of the project where you want to allow workload-level intra-project inbound traffic.
   • SUBJECT_LABEL_KEY: the key of the label used to select the source workloads. For example, app, tier, or role.
   • SUBJECT_LABEL_VALUE: the value associated with the SUBJECT_LABEL_KEY. It specifies which workloads are the source of the allowed traffic. For example, if SUBJECT_LABEL_KEY is app, and SUBJECT_LABEL_VALUE is backend, then workloads with the label app: backend is the traffic source.
   • TARGET_LABEL_KEY: the key of the label used to select the destination workloads.
   • TARGET_LABEL_VALUE: the value associated with the TARGET_LABEL_KEY. It specifies which workloads are the destination of the allowed traffic.

Create a workload-level cross-project traffic policy

You can create a workload-level cross-project traffic policy to enable or disable network access for traffic between workloads in different projects.

Egress workload-level cross-project traffic network policy

• To create an egress workload-level cross-project traffic network policy, create and apply the following custom resource:

  kubectl --kubeconfig GLOBAL_API_SERVER apply -f - <<EOF
  apiVersion: networking.global.gdc.goog/v1
  kind: ProjectNetworkPolicy
  metadata:
    namespace: PROJECT_1
    name: allow-cross-project-outbound-traffic-to-subject-from-target
  spec:
    policyType: Egress
    subject:
      subjectType: UserWorkload
      workloadSelector:
        matchLabels:
          SUBJECT_LABEL_KEY: SUBJECT_LABEL_VALUE
    egress:
    - to:
      - projectSelector:
          projects:
            matchNames:
            - PROJECT_2
          workloads:
            matchLabels:
              TARGET_LABEL_KEY: TARGET_LABEL_VALUE
  EOF
  

  Replace the following:

  • GLOBAL_API_SERVER: the global API server's kubeconfig path. For more information, see Global and zonal API servers. If you have not yet generated a kubeconfig file for the API server, see Sign in for details.
  • PROJECT_1: the name of the project where you want to allow workload-level cross-project outbound traffic.
  • PROJECT_2: the name of the project where you want to send the workload-level cross-project outbound traffic.
  • SUBJECT_LABEL_KEY: the key of the label used to select the source workloads. For example, app, tier, or role.
  • SUBJECT_LABEL_VALUE: the value associated with the SUBJECT_LABEL_KEY. It specifies which workloads are the source of the allowed traffic. For example, if SUBJECT_LABEL_KEY is app, and SUBJECT_LABEL_VALUE is backend, then workloads with the label app: backend is the traffic source.
  • TARGET_LABEL_KEY: the key of the label used to select the destination workloads.
  • TARGET_LABEL_VALUE: the value associated with the TARGET_LABEL_KEY. It specifies which workloads are the destination of the allowed traffic.

Create a single zone workload-level intra-project traffic policy

You can create a single zone workload-level intra-project traffic policy to enable or disable network access for traffic between workloads within a project in a specific zone.

Single zone ingress workload-level intra-project traffic network policy

When you create a project, you implicitly create a default base ProjectNetworkPolicy resource that allows intra-project communication between all workloads. This policy allows inbound traffic from other workloads in the same project.

To create a single zone ingress workload-level intra-project traffic network policy, the default base policy must first be deleted. Otherwise, unexpected behavior may occur.

1. To delete the default base policy, run the following command:

   kubectl --kubeconfig GLOBAL_API_SERVER delete pnp base-policy-allow-intra-project-traffic -n PROJECT
   

2. To create a single zone ingress workload-level intra-project traffic network policy, create and apply the following custom resource:

   kubectl --kubeconfig GLOBAL_API_SERVER apply -f - <<EOF
   apiVersion: networking.global.gdc.goog/v1
   kind: ProjectNetworkPolicy
   metadata:
     namespace: PROJECT
     name: allow-single-zone-intra-project-inbound-traffic-from-target-to-subject
   spec:
     policyType: Ingress
     subject:
       subjectType: UserWorkload
       workloadSelector:
         matchLabels:
           SUBJECT_LABEL_KEY: SUBJECT_LABEL_VALUE
           ZONE_SUBJECT_LABEL_KEY: ZONE_SUBJECT_LABEL_VALUE
     ingress:
     - from:
       - projectSelector:
           projects:
             matchNames:
             - PROJECT
           workloads:
             matchLabels:
               TARGET_LABEL_KEY: TARGET_LABEL_VALUE
               ZONE_TARGET_LABEL_KEY: ZONE_TARGET_LABEL_VALUE
   EOF
   

   Replace the following:

   • GLOBAL_API_SERVER: the global API server's kubeconfig path. For more information, see Global and zonal API servers. If you have not yet generated a kubeconfig file for the API server, see Sign in for details.
   • PROJECT: the name of the project where you want to allow single zone workload-level intra-project inbound traffic.
   • SUBJECT_LABEL_KEY: the key of the label used to select the source workloads. For example, app, tier, or role.
   • SUBJECT_LABEL_VALUE: the value associated with the SUBJECT_LABEL_KEY. It specifies which workloads are the source of the allowed traffic. For example, if SUBJECT_LABEL_KEY is app, and SUBJECT_LABEL_VALUE is backend, then workloads with the label app: backend is the traffic source.
   • TARGET_LABEL_KEY: the key of the label used to select the destination workloads.
   • TARGET_LABEL_VALUE: the value associated with the TARGET_LABEL_KEY. It specifies which workloads are the destination of the allowed traffic.
   • ZONE_SUBJECT_LABEL_KEY: the key of the label used to select the source zone. For example, zone, or region.
   • ZONE_SUBJECT_LABEL_VALUE: the value associated with the ZONE_SUBJECT_LABEL_KEY. It specifies which zone is the source of the allowed traffic. For example, if ZONE_SUBJECT_LABEL_KEY is zone, and ZONE_SUBJECT_LABEL_VALUE is us-central1-a, then workloads with the label zone: us-central1-a is the traffic source.
   • ZONE_TARGET_LABEL_KEY: the key of the label used to select the destination zone.
   • ZONE_TARGET_LABEL_VALUE: the value associated with the ZONE_TARGET_LABEL_KEY. It specifies which zone is the destination of the allowed traffic.

Create a single zone workload-level cross-project traffic policy

You can create a single zone workload-level cross-project traffic policy to enable or disable network access for traffic between workloads within different projects in a specific zone.

Single zone egress workload-level cross-project traffic network policy

• To create a single zone egress workload-level intra-project traffic network policy, create and apply the following custom resource:

  kubectl --kubeconfig GLOBAL_API_SERVER apply -f - <<EOF
  apiVersion: networking.global.gdc.goog/v1
  kind: ProjectNetworkPolicy
  metadata:
    namespace: PROJECT_1
    name: allow-single-zone-cross-project-outbound-traffic-to-subject-from-target
  spec:
    policyType: Egress
    subject:
      subjectType: UserWorkload
      workloadSelector:
        matchLabels:
          SUBJECT_LABEL_KEY: SUBJECT_LABEL_VALUE
          ZONE_SUBJECT_LABEL_KEY: ZONE_SUBJECT_LABEL_VALUE
    egress:
    - to:
      - projectSelector:
          projects:
            matchNames:
            - PROJECT_2
          workloads:
            matchLabels:
              TARGET_LABEL_KEY: TARGET_LABEL_VALUE
              ZONE_TARGET_LABEL_KEY: ZONE_TARGET_LABEL_VALUE
  EOF
  

  Replace the following:

  • GLOBAL_API_SERVER: the global API server's kubeconfig path. For more information, see Global and zonal API servers. If you have not yet generated a kubeconfig file for the API server, see Sign in for details.
  • PROJECT_1: the name of the project where you want to allow single zone workload-level cross-project outbound traffic.
  • PROJECT_2: the name of the project where you want to send the single zone workload-level cross-project outbound traffic.
  • SUBJECT_LABEL_KEY: the key of the label used to select the source workloads. For example, app, tier, or role.
  • SUBJECT_LABEL_VALUE: the value associated with the SUBJECT_LABEL_KEY. It specifies which workloads are the source of the allowed traffic. For example, if SUBJECT_LABEL_KEY is app, and SUBJECT_LABEL_VALUE is backend, then workloads with the label app: backend is the traffic source.
  • TARGET_LABEL_KEY: the key of the label used to select the destination workloads.
  • TARGET_LABEL_VALUE: the value associated with the TARGET_LABEL_KEY. It specifies which workloads are the destination of the allowed traffic.
  • ZONE_SUBJECT_LABEL_KEY: the key of the label used to select the source zone. For example, zone, or region.
  • ZONE_SUBJECT_LABEL_VALUE: the value associated with the ZONE_SUBJECT_LABEL_KEY. It specifies which zone is the source of the allowed traffic. For example, if ZONE_SUBJECT_LABEL_KEY is zone, and ZONE_SUBJECT_LABEL_VALUE is us-central1-a, then workloads with the label zone: us-central1-a is the traffic source.
  • ZONE_TARGET_LABEL_KEY: the key of the label used to select the destination zone.
  • ZONE_TARGET_LABEL_VALUE: the value associated with the ZONE_TARGET_LABEL_KEY. It specifies which zone is the destination of the allowed traffic.