You can create Cisco Panoptica Connection Policy rules from the CD plugin. In this way, the correct rules are in place when a workload is deployed, without having to configure the rules separately.
A rule is created by adding a policy YAML file for each workload deployed, which defines the connections that are permitted and blocked for the workload. This file is included in the Helm chart. The information in the file is passed to Panoptica when the chart is run.
The example below shows a policy YAML file for a workload. This file will create these connection rules, as follows:
- permit connections to the workload 'db'
- block all external outbound connections
- permit internal and external connections from all sources
kind: SecureCNPolicy apiVersion: securecn.io/v1beta1 metadata: name: nginx spec: deploymentName: nginx to: internal: [db] external: false from: internal:  external: true
The policy file has these fields:
kind - this is fixed as 'SecureCNPolicy'
apiVersion - this is fixed as 'securecn.io/v1beta1'
deploymentName - the name of the pod (this is the name of the Connection Policy group that will be created for the new rules)
to - workloads that this pod can send to (internal - list & external - true / false)
from - workloads that can send to this pod (internal, external)
Updated 7 months ago