Reference: Networking CRDs¶
The platform provides a set of Custom Resource Definitions (CRDs) to simplify
the creation and management of Kubernetes NetworkPolicy resources. These CRDs
allow you to declaratively define the communication paths your application
needs, and the operator translates them into the underlying, more complex
NetworkPolicy objects.
This document serves as a technical reference for the three core networking CRDs. For a task-oriented guide on how to use them, see Configuring Application Networking.
NetworkProfile¶
A NetworkProfile is a cluster-level, reusable template of network rules.
It defines a named set of ingress or egress rules that can be applied to any
application component. They are typically managed by platform administrators to
define common, pre-approved network paths (e.g., allowing traffic from the
ingress controller or allowing traffic to a shared database).
Specification (spec)¶
| Field | Type | Description |
|---|---|---|
ingress |
[]NetworkPolicyIngressRule |
A list of standard Kubernetes NetworkPolicyIngressRule objects that define allowed incoming traffic. |
egress |
[]NetworkPolicyEgressRule |
A list of standard Kubernetes NetworkPolicyEgressRule objects that define allowed outgoing traffic. |
Example¶
This NetworkProfile allows ingress traffic from the netic-ingress-system
namespace on a port named http.
apiVersion: networking.tcs.trifork.com/v1alpha1
kind: NetworkProfile
metadata:
name: contour-ingress
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
name: netic-ingress-system
ports:
- protocol: TCP
port: http
LocalNetworkConfig¶
A LocalNetworkConfig defines the required communication paths for applications
within a single namespace. It is the primary tool you will use to allow your
application's own components (e.g., a frontend and a backend) to talk to each
other.
Specification (spec)¶
| Field | Type | Description |
|---|---|---|
components |
map[string]NetworkConfigComponent |
A map where each key is the name of a component within your application. The value defines the component's pods and its communication dependencies. |
Component Specification (NetworkConfigComponent)¶
| Field | Type | Description |
|---|---|---|
podSelector |
LabelSelector |
Required. A standard Kubernetes label selector to identify the pods that belong to this component. |
dependsOn |
[]Dependency |
A list of other components or profiles that this component needs to connect to. |
profiles |
[]string |
A list of NetworkProfile names to apply to this component. |
Example¶
This LocalNetworkConfig defines two components, frontend and backend. It
creates network policies that allow the frontend to initiate connections to
the backend on the http port.
apiVersion: networking.tcs.trifork.com/v1alpha1
kind: LocalNetworkConfig
metadata:
name: my-app-network-config
spec:
components:
frontend:
podSelector:
matchLabels:
app.kubernetes.io/name: frontend
dependsOn:
- component: backend
port: http
profiles:
- contour-ingress # Also applies the ingress rules from this profile
backend:
podSelector:
matchLabels:
app.kubernetes.io/name: backend
NetworkConfig¶
A NetworkConfig is a cluster-level resource that defines communication
paths between different namespaces. It is used for more advanced use cases
where applications need to communicate across namespace boundaries. It is
typically managed by platform administrators.
Its structure is nearly identical to LocalNetworkConfig, but the
NetworkConfigComponent includes a namespace field to specify where each
component lives.
Specification (spec)¶
| Field | Type | Description |
|---|---|---|
components |
map[string]NetworkConfigComponent |
A map defining the components involved in the cross-namespace communication. |
Component Specification (NetworkConfigComponent)¶
| Field | Type | Description |
|---|---|---|
namespace |
string |
Required. The name of the namespace where this component resides. |
podSelector |
LabelSelector |
Required. A standard Kubernetes label selector to identify the pods that belong to this component. |
dependsOn |
[]Dependency |
A list of other components this component needs to connect to. |
profiles |
[]string |
A list of NetworkProfile names to apply to this component. |
Example¶
This NetworkConfig allows service-a in namespace-a to connect to
service-b in namespace-b on the http port.
apiVersion: networking.tcs.trifork.com/v1alpha1
kind: NetworkConfig
metadata:
name: cross-namespace-connection
spec:
components:
service-a:
namespace: namespace-a
podSelector:
matchLabels:
app.kubernetes.io/name: service-a
dependsOn:
- component: service-b
port: http
service-b:
namespace: namespace-b
podSelector:
matchLabels:
app.kubernetes.io/name: service-b