Creating connection policies by using the Mesh CLI
Create connection access policies with the IBM® Hybrid Cloud Mesh (Mesh) CLI so that service requests can flow over your Red Hat® Service Interconnect gateways.
A connection policy defines which applications can use a service and enables connectivity between the namespaces and service that are configured in the policy.
Applications and services in your Kubernetes namespace are discovered when the gateway is deployed. For service requests to be routed over the Service Interconnect edge network, create a connection policy that allows requests for the service within the network segment.
Prerequisites
Before you create the connection policy, the service that is referenced in the policy must be registered in Mesh. See Registering a service in Mesh.
Create a connection policy
- A connection policy that enables all the applications in the network segment to connect to a service in the network segment. See Create a connection policy by using the entire network segment.
- A connection policy that enables applications in specific namespaces to connect to a service. The namespaces and the service must be in the same network segment. See Create a connection policy by using specific namespaces in the network segment.
- Create a connection policy by using the entire network segment
-
If you create the connection policy by using the network segment, all applications in all namespaces in the network segment can connect to the service.
Complete the following steps:
- Get the ID of the network segment that the connection policy applies
to:
The ID of the network segment is shown in thepalmctl get networksegments
resource_id
field in the output. - Get the ID of the service that the applications connect to:
- First get the details of the application that contains the
service:
palmctl get applications
The ID of the application is shown in the
resource_id
field in the output. - Get the ID of the
service:
palmctl get services --application-name <application-name>
The ID of the service is shown in the
resource_id
field in the output.
- First get the details of the application that contains the
service:
- Create the connection policy:
cat << EOM | palmctl create policy -f - name: <policy-name> description: <optional policy description> resource_group_id: <resource-group-id> network_segment_id: <network-segment-id> action: allow from: type: networkSegment network_segment: network_segment_id: <network-segment-id> to: type: service service: service_id: <service-id> application_id: <application-id> EOM
<policy-name>
must be unique.<resource-group-id>
is optional. If you don't specify a group, the application is added to the default application group.<network-segment-id>
,<service-id>
, and<application-id>
are retrieved in the earlier steps.
- Get the ID of the network segment that the connection policy applies
to:
- Create a connection policy by using specific namespaces in the network segment
-
If you create the connection policy by using specific namespaces, only applications that are in the specific namespaces can connect to the service.Important:
To create a connection policy that allows connections from specific namespaces, the
service_sync
property for the network segment must be set tofalse
. If you setservice_sync
totrue
when you create the network segment, you cannot create a connection policy that allows connections from specific namespaces.For more information about setting
service_sync
when you create a network segment, see Creating Mesh network segments by using the CLI.Before you create the connection policy, get the IDs of the network segment, the namespaces, and the service. Complete the following steps:
- Get the ID of the network segment that the connection policy applies
to:
The ID of the network segment is shown in thepalmctl get networksegments
resource_id
field in the output. - Get the IDs of the namespaces that can connect to the service. You can connect multiple namespaces:
palmctl get namespaces --cloud-name <cloud-name> --cluster-name <cluster-name>
<cloud-name>
is the name of your cloud environment and<cluster-name>
is the name of the Kubernetes cluster where the namespaces are located.- The namespace ID is shown in the
resource_id
field in the output.
Important: The command output includes the network segment that the namespace is linked to. You can include only those namespaces that are linked to the network segment that the connection policy applies to.You might need to run this command more than once if you want to connect multiple namespaces to the service. For example, if the namespaces are in different clusters, you must run the command multiple times with the appropriate cluster name.
- Get the ID of the service that the applications connect to:
- First get the details of the application that contains the
service:
palmctl get applications
The ID of the application is shown in the
resource_id
field in the output. - Get the ID of the
service:
palmctl get services --application-name <application-name>
The ID of the service is shown in the
resource_id
field in the output.
- First get the details of the application that contains the
service:
- Create the connection policy:
cat << EOM | palmctl create policy -f - name: <policy-name> description: <optional policy description> resource_group_id: <resource-group-id> network_segment_id: <network-segment-id> action: allow from: type: namespace namespaces: - namespace_id: <namespace-id-1> - namespace_id: <namespace-id-2> - namespace_id: <namespace-id-3> to: type: service service: service_id: <service-id> application: <application-id> EOM
<policy-name>
must be unique.<resource-group-id>
is optional. If you don't specify a group, the application is added to the default application group.<network-segment-id>
,<namespace-id-n>
,<service-id>
, and<application-id>
are retrieved in the earlier steps. If you want to connect multiple namespaces to the service, you must add a separate entry for each namespace in thenamespaces
section.
- Get the ID of the network segment that the connection policy applies
to: