Create Connection Rules from Helm charts

Create Connection Policy Rules from the CD Plugin

You can create Cisco Panoptica Connection Policy rules from the CD plugin. In this way, the correct rules are in place when a workload is deployed, without having to configure the rules separately.

A rule is created by adding a policy YAML file for each workload deployed, which defines the connections that are permitted and blocked for the workload. This file is included in the Helm chart. The information in the file is passed to Panoptica when the chart is run.

Policy YAML file

The example below shows a policy YAML file for a workload. This file will create these connection rules, as follows:

  • permit connections to the workload 'db'
  • block all external outbound connections
  • permit internal and external connections from all sources
kind: SecureCNPolicy
apiVersion: securecn.io/v1beta1
metadata:
  name: nginx
spec:
  deploymentName: nginx
  to:
    internal: [db]
    external: false
  from:
    internal: []
    external: true

Fields in the file

The policy file has these fields:

kind - this is fixed as 'SecureCNPolicy'
apiVersion - this is fixed as 'securecn.io/v1beta1'
deploymentName - the name of the pod (this is the name of the Connection Policy group that will be created for the new rules)

to - workloads that this pod can send to (internal - list & external - true / false)
from - workloads that can send to this pod (internal, external)


What’s Next