Configuring a Network Defense Policy (for Cloud Native Network 2.0)

Scenarios

If no network defense policies are configured for a pod, all traffic is allowed to enter and leave the pod by default. In this case, pods can communicate with each other and access the external network, which poses security risks.

To improve the security of a cluster using the cloud native network 2.0 model, you can configure a network defense policy for the cluster to restrict the communication between workloads and the access from workloads to the external network.

Constraints

Only CCE Turbo clusters of v1.19 or later support the container firewall.

Creating a Network Defense Policy

Log in to the HSS console.
Click in the upper left corner and select a region or project.

In the navigation pane on the left, choose Container Protection > Container Firewalls.
(Optional) If you have enabled the enterprise project, select the enterprise project where the target server resides from the drop-down list.
Click Synchronize above the cluster list to synchronize the policies created on clusters.

The synchronization takes about 1 to 2 minutes. Wait for a while and click in the upper right corner of the list to refresh and view the latest data.

Figure 1 Synchronizing cluster policies

Click Manage Policy in the Operation column of a cluster using the cloud native network 2.0 model.
Click Create above the policy list. The Create a Security Group Policy dialog box is displayed.

Figure 2 Policy management

Enter the policy information as prompted. For details about related parameters, see Table 1.

Figure 3 Create a security group policy
Click to enlarge

**Table 1** Parameters for creating a security group policy
Parameter	Description
Policy	Enter a policy name. The requirements are as follows: The name can contain only lowercase letters, numbers, hyphens (-), and dots (·), and must start and end with a letter or number. Up to 253 characters are allowed.
Namespace	Select a namespace from the drop-down list.
Workload Type	Select a load type. The following types are supported: Deployment: Kubernetes deployment. It supports auto elastic and rolling upgrade. StatefulSets: Kubernetes StatefulSets. It supports ordered pod deployment and deletion. DaemonSets: Kubernetes DaemonSets. It ensures that one pod instance runs on all (or some) nodes.
Workload	Select the target workload.
Associate a Security Group	Select a security group to be associated. Each policy can be associated with a maximum of five groups. The existing security groups in the list are those you have created in the VPC service. To create a security group, click Create a Security Group to go to the VPC console. For details, see Create a Security Group.

After entering the policy information, click OK.

You can view the new policy in the policy management list.

Related Operations

Modifying or deleting a network defense policy

(Optional) If you have enabled the enterprise project, select the enterprise project where the target server resides from the drop-down list.

Click Manage Policy in the Operation column of a cluster using the cloud native network 2.0 model.
Click Synchronize above the policy list to synchronize cluster policy information.

The synchronization takes about 1 to 2 minutes. Wait for a while and click in the upper right corner of the list to refresh and view the latest data.
Select the operation to be performed on the policy.

Figure 4 Managing policies
- View policy content.
  In the Operation column of a policy, click View YAML. In the displayed dialog box, you can select YAML or JSON to view the policy details. Click Download in the upper left corner of the dialog box.
- Update policy content.
  1. Locate a target policy and click Update in the Operation column. The Update a Security Group Policy dialog box is displayed.
  2. Add or delete an associated security group.
  3. Click OK.
- Delete a policy.
  1. Locate a target policy and click Delete in the Operation column. The Delete Policy dialog box is displayed.
  2. Ensure that all information is correct and click OK.