Creating connection policies by using the Mesh CLI

Create connection access policies with the IBM® Hybrid Cloud Mesh (Mesh) CLI so that service requests can flow over your Red Hat® Service Interconnect gateways.

A connection policy defines which applications can use a service and enables connectivity between the namespaces and service that are configured in the policy.

Applications and services in your Kubernetes namespace are discovered when the gateway is deployed. For service requests to be routed over the Service Interconnect edge network, create a connection policy that allows requests for the service within the network segment.

Prerequisites

Before you create the connection policy, the service that is referenced in the policy must be registered in Mesh. See Registering a service in Mesh.

Create a connection policy

You can create the following types of connection policies: Each connection policy defines the connections for a single service. The connection policy applies to all deployments of the service in the network segment.
Create a connection policy by using the entire network segment

If you create the connection policy by using the network segment, all applications in all namespaces in the network segment can connect to the service.

Complete the following steps:

  1. Get the ID of the network segment that the connection policy applies to:
    palmctl get networksegments
    The ID of the network segment is shown in the resource_id field in the output.
  2. Get the ID of the service that the applications connect to:
    1. First get the details of the application that contains the service:
      palmctl get applications

      The ID of the application is shown in the resource_id field in the output.

    2. Get the ID of the service:
      palmctl get services --application-name <application-name>

      The ID of the service is shown in the resource_id field in the output.

  3. Create the connection policy:
    cat << EOM | palmctl create policy -f -
    name: <policy-name>
    description: <optional policy description>
    resource_group_id: <resource-group-id>
    network_segment_id: <network-segment-id>
    action: allow
    from:
      type: networkSegment
      network_segment:
        network_segment_id: <network-segment-id>
    to:
      type: service
      service:
        service_id: <service-id>
        application_id: <application-id>
    EOM
    • <policy-name> must be unique.
    • <resource-group-id> is optional. If you don't specify a group, the application is added to the default application group.
    • <network-segment-id>, <service-id>, and <application-id> are retrieved in the earlier steps.
Create a connection policy by using specific namespaces in the network segment
If you create the connection policy by using specific namespaces, only applications that are in the specific namespaces can connect to the service.
Important:

To create a connection policy that allows connections from specific namespaces, the service_sync property for the network segment must be set to false. If you set service_sync to true when you create the network segment, you cannot create a connection policy that allows connections from specific namespaces.

For more information about setting service_sync when you create a network segment, see Creating Mesh network segments by using the CLI.

Before you create the connection policy, get the IDs of the network segment, the namespaces, and the service. Complete the following steps:

  1. Get the ID of the network segment that the connection policy applies to:
    palmctl get networksegments
    The ID of the network segment is shown in the resource_id field in the output.
  2. Get the IDs of the namespaces that can connect to the service. You can connect multiple namespaces:
    palmctl get namespaces --cloud-name <cloud-name> --cluster-name <cluster-name>
    • <cloud-name> is the name of your cloud environment and <cluster-name> is the name of the Kubernetes cluster where the namespaces are located.
    • The namespace ID is shown in the resource_id field in the output.
    Important: The command output includes the network segment that the namespace is linked to. You can include only those namespaces that are linked to the network segment that the connection policy applies to.

    You might need to run this command more than once if you want to connect multiple namespaces to the service. For example, if the namespaces are in different clusters, you must run the command multiple times with the appropriate cluster name.

  3. Get the ID of the service that the applications connect to:
    1. First get the details of the application that contains the service:
      palmctl get applications

      The ID of the application is shown in the resource_id field in the output.

    2. Get the ID of the service:
      palmctl get services --application-name <application-name>

      The ID of the service is shown in the resource_id field in the output.

  4. Create the connection policy:
    cat << EOM | palmctl create policy -f -
    name: <policy-name>
    description: <optional policy description>
    resource_group_id: <resource-group-id>
    network_segment_id: <network-segment-id>
    action: allow
    from:
      type: namespace
      namespaces:
        - namespace_id: <namespace-id-1>
        - namespace_id: <namespace-id-2>
        - namespace_id: <namespace-id-3>
    to:
      type: service
      service:
        service_id: <service-id>
        application: <application-id>
    EOM
    • <policy-name> must be unique.
    • <resource-group-id> is optional. If you don't specify a group, the application is added to the default application group.
    • <network-segment-id>, <namespace-id-n>, <service-id>, and <application-id> are retrieved in the earlier steps. If you want to connect multiple namespaces to the service, you must add a separate entry for each namespace in the namespaces section.