diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-01-20 18:08:44 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-01-20 18:08:44 +0000 |
| commit | e0ab7eda1b1013e3246b0db28689b0749158f0bf (patch) | |
| tree | c0b4fa77a0a781f0e0e868133293053ae75c2aff /doc/topics/autodevops/index.md | |
| parent | 364f6f2e33e6f5eafe63b25d9256b88e72141b1c (diff) | |
| download | gitlab-ce-e0ab7eda1b1013e3246b0db28689b0749158f0bf.tar.gz | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/topics/autodevops/index.md')
| -rw-r--r-- | doc/topics/autodevops/index.md | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/doc/topics/autodevops/index.md b/doc/topics/autodevops/index.md index c52c5832591..e95fbff74b3 100644 --- a/doc/topics/autodevops/index.md +++ b/doc/topics/autodevops/index.md @@ -713,6 +713,56 @@ workers: terminationGracePeriodSeconds: 60 ``` +#### Network Policy + +> [Introduced](https://gitlab.com/gitlab-org/charts/auto-deploy-app/merge_requests/30) in GitLab 12.7. + +By default, all Kubernetes pods are +[non-isolated](https://kubernetes.io/docs/concepts/services-networking/network-policies/#isolated-and-non-isolated-pods) +and accept traffic from any source. You can use +[NetworkPolicy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) +to restrict connections to selected pods or namespaces. + +NOTE: **Note:** +You must use a Kubernetes network plugin that implements support for +`NetworkPolicy`, the default network plugin for Kubernetes (`kubenet`) +[doesn't implement](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#kubenet) +support for it. The [Cilium](https://cilium.io/) network plugin can be +installed as a [cluster application](../../user/clusters/applications.md#install-cilium-using-gitlab-ci) +to enable support for network policies. + +You can enable deployment of a network policy by setting the following +in the `.gitlab/auto-deploy-values.yaml` file: + +```yml +networkPolicy: + enabled: true +``` + +The default policy deployed by the auto deploy pipeline will allow +traffic within a local namespace and from the `gitlab-managed-apps` +namespace, all other inbound connection will be blocked. Outbound +traffic is not affected by the default policy. + +You can also provide a custom [policy specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#networkpolicyspec-v1-networking-k8s-io) +via the `.gitlab/auto-deploy-values.yaml` file, for example: + +```yml +networkPolicy: + enabled: true + spec: + podSelector: + matchLabels: + app.gitlab.com/env: staging + ingress: + - from: + - podSelector: + matchLabels: {} + - namespaceSelector: + matchLabels: + app.gitlab.com/managed_by: gitlab +``` + #### Running commands in the container Applications built with [Auto Build](#auto-build) using Herokuish, the default |