docs: Add example for kube-apiserver entity policy

Signed-off-by: Joe Stringer <joe@cilium.io>
cilium · May 7, 2024 · 3d1efae · 3d1efae
1 parent 87ed04b
commit 3d1efae
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 0 deletions.
diff --git a/Documentation/security/policy/language.rst b/Documentation/security/policy/language.rst
@@ -361,6 +361,25 @@ all
     The all entity represents the combination of all known clusters as well
     world and whitelists all communication.
 
+Access to/from kube-apiserver
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Allow all endpoints with the label ``env=dev`` to access the kube-apiserver.
+
+.. only:: html
+
+   .. tabs::
+     .. group-tab:: k8s YAML
+
+        .. literalinclude:: ../../../examples/policies/l3/entities/apiserver.yaml
+     .. group-tab:: JSON
+
+        .. literalinclude:: ../../../examples/policies/l3/entities/apiserver.json
+
+.. only:: epub or latex
+
+        .. literalinclude:: ../../../examples/policies/l3/entities/apiserver.json
+
 Access to/from local host
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 

diff --git a/examples/policies/l3/entities/apiserver.json b/examples/policies/l3/entities/apiserver.json
@@ -0,0 +1,7 @@
+[{
+    "labels": [{"key": "name", "value": "dev-to-kube-apiserver"}],
+    "endpointSelector": {"matchLabels": {"env":"dev"}},
+    "egress": [{
+        "toEntities": ["kube-apiserver"]
+    }]
+}]
diff --git a/examples/policies/l3/entities/apiserver.yaml b/examples/policies/l3/entities/apiserver.yaml
@@ -0,0 +1,11 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: "dev-to-kube-apiserver"
+spec:
+  endpointSelector:
+    matchLabels:
+      env: dev
+  egress:
+    - toEntities:
+      - kube-apiserver