/
cf-networking.html.md.erb
144 lines (109 loc) · 4.9 KB
/
cf-networking.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
---
title: Administering Container-to-Container Networking
owner: Container-to-Container Networking
---
This topic describes how to configure the Container-to-Container Networking feature. For an overview of how Container-to-Container Networking works, see the [Understanding Container-to-Container Networking](../../concepts/understand-cf-networking.html) topic.
<% if vars.product_name.include? "CF" %>
##<a id="enable"></a>Enable Container-to-Container Networking
<% end %>
<% if vars.product_name == 'CF' %>
<%= partial 'c2c_oss_enable' %>
<% else %>
<% if vars.product_name.include? "CF" %>
<%= partial "../../customizing/c2c_pcf_enable" %>
<% end %>
<% end %>
<% if vars.product_name.include? "CF" %>
##<a id="overlay"></a> Configure the Overlay Network
<% end %>
<% if vars.product_name == 'CF' %>
<%= partial 'c2c_oss_overlay' %>
<% else %>
<% if vars.product_name.include? "CF" %>
<%= partial '../../opsguide/c2c_overlay' %>
<% end %>
<% end %>
##<a id="create-policies"></a>Create Policies for Container-to-Container Networking
This section describes how to create and modify Container-to-Container Networking policies using a plugin for the Cloud Foundry Command Line Interface (cf CLI).
The cf CLI only supports configuring policies for apps within the same space.
To configure policies for apps in different orgs and spaces, use the [Policy Server External API](https://github.com/cloudfoundry/cf-networking-release/blob/v1.10.x/docs/API.md).
<% if vars.product_name == 'PWS' %>
<%= partial '../../appsman-services/c2c_pws_create' %>
<% else %>
To use the plugin, you must have either the `network.write` or `network.admin` UAA scope.
<table>
<tr>
<th>UAA Scope</th>
<th>Suitable for…</th>
<th>Allows users to create policies…</th>
</tr>
<tr>
<td><code>network.admin</code></td>
<td>operators</td>
<td>for any apps in the CF deployment</td>
</tr>
<tr>
<td><code>network.write</code></td>
<td>space developers</td>
<td>for apps in spaces that they can access</td>
</tr>
</table>
If you are a CF admin, you already have the `network.admin` scope. An admin can also grant the `network.admin` scope to a space developer.
<% if vars.product_name == 'CF' || vars.product_name == 'PCF' %>
<%= vars.uaa_cli %>
<% else %>
<% end %>
<% end %>
### Install the Plugin
Follow these steps to download and install the Network Policy plugin for the cf CLI:
1. Download the `network-policy-plugin` for your operating system from the [Container-to-Container Networking Release repository](https://github.com/cloudfoundry-incubator/cf-networking-release/releases).
1. To change the permissions of the plugin file and complete the installation, enter the following commands:
<pre class="terminal">
$ chmod +x ~/Downloads/network-policy-plugin
$ cf install-plugin ~/Downloads/network-policy-plugin
</pre>
### Create a Policy
To create a policy that allows direct network traffic from one app to another, enter the following command:
<pre class="terminal">
$ cf allow-access SOURCE-APP DESTINATION-APP --protocol PROTOCOL --port PORT
</pre>
Replace the placeholders in the above command as follows:
* `SOURCE-APP` is the name of the app that will send traffic.<br>
* `DESTINATION-APP` is the name of the app that will receive traffic.<br>
* `PROTOCOL` is one of the following: `tcp` or `udp`.<br>
* `PORT` is the port at which to connect to the destination app. The allowed range is from `1` to `65535`.<br>
The following example command allows access from the `frontend` app to the `backend` app over TCP at port 8080:
<pre class="terminal">
$ cf allow-access frontend backend --protocol tcp --port 8080
Allowing traffic from frontend to backend as admin...
OK
</pre>
### List Policies
You can list all the policies in your deployment or just the policies for which a single app is either the source or the destination:
+ To list the all the policies in your deployment, enter the following command:
<pre class="terminal">
$ cf list-access
</pre>
+ To list the policies for an app, enter the following command:
<pre class="terminal">
$ cf list-access --app MY-APP
</pre>
The following example command lists policies for the app `frontend`:
<pre class="terminal">
$ cf list-access --app frontend
Listing policies as admin...
OK
Source Destination Protocol Port
frontend backend tcp 8080
</pre>
### Delete a Policy
To delete a policy that allows direct network traffic from one app to another, enter the following command:
<pre class="terminal">
$ cf remove-access SOURCE-APP DESTINATION-APP --protocol PROTOCOL --port PORT
</pre>
The following command deletes the policy that allowed the `frontend` app to communicate with the `backend` app over TCP on port 8080:
<pre class="terminal">
$ cf remove-access frontend backend --protocol tcp --port 8080
Denying traffic from frontend to backend as admin...
OK
</pre>