From 13d8e3072d125d5c485493220dce68b273f8211e Mon Sep 17 00:00:00 2001 From: Abhishek Raut Date: Wed, 1 Jul 2020 18:51:36 -0700 Subject: [PATCH] Add note regarding feature gate status --- docs/network-policy.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/docs/network-policy.md b/docs/network-policy.md index 0ac4f777abe..8b3d992fa3b 100644 --- a/docs/network-policy.md +++ b/docs/network-policy.md @@ -8,6 +8,13 @@ aimed towards developers to secure their apps and affects Pods within the Namespace in which the K8s NetworkPolicy is created. Rules belonging to ClusterNetworkPolicies are evaluated before any rule belonging to a K8s NetworkPolicy. +**Note**: ClusterNetworkPolicy is currently in "Alpha" stage. In order to +enable them, edit the Controller configuration in the `antrea` ConfigMap +as follows: +```yaml + antrea-controller.conf: | + ClusterNetworkPolicy: true +``` ## The ClusterNetworkPolicy resource @@ -115,18 +122,18 @@ Hence, CNP take precedence over K8s NP. There are four kinds of selectors that can be specified in an ingress `from` section or egress `to` section: -**podSelector**: This selects particular Pods from all Namespaces as `sources`, -if set in `ingress` section, or as `destinations`, if set in `egress` section. +**podSelector**: This selects particular Pods from all Namespaces as "sources", +if set in `ingress` section, or as "destinations", if set in `egress` section. **namespaceSelector**: This selects particular Namespaces for which all Pods are -grouped as `ingress` `sources` or `egress` `destinations`. +grouped as `ingress` "sources" or `egress` "destinations". **podSelector** and **namespaceSelector**: A single to/from entry that specifies both namespaceSelector and podSelector selects particular Pods within particular Namespaces. -**ipBlock**: This selects particular IP CIDR ranges to allow as `ingress` `sources` -or `egress` `destinations`. These should be cluster-external IPs, since Pod IPs are +**ipBlock**: This selects particular IP CIDR ranges to allow as `ingress` "sources" +or `egress` "destinations". These should be cluster-external IPs, since Pod IPs are ephemeral and unpredictable. ## Key differences from K8s NetworkPolicy