#Creating Admin Network Policies

The new cluster network policy adopts the Kubernetes community's Admin Network Policy standard design, providing more flexible configuration methods and rich configuration options.

When multiple network policies are applied, they follow a strict priority order: Admin Network Policy takes precedence over Network Policy, which in turn takes precedence over Baseline Admin Network Policy.

The procedure is as follows:

#Notes

• Only Kube-OVN CNI supports admin network policies.

• In Kube-OVN network mode, this feature is at Alpha maturity level.

• Only one Baseline Admin Network Policy can exist in the cluster.

AdminNetworkPolicy

# example-anp.yaml
apiVersion: policy.networking.k8s.io/v1alpha1
kind: AdminNetworkPolicy
metadata:
  name: example-anp
spec:
  priority: 3
  subject:
    pods:
      namespaceSelector:
        matchLabels: {}
      podSelector:
        matchLabels:
          pod-template-hash: 55f66dd67d
  ingress:
    - name: ingress1
      action: Allow
      ports:
        - portNumber:
            protocol: TCP
            port: 8090
      from:
        - pods:
            namespaceSelector:
              matchLabels: {}
            podSelector:
              matchLabels:
                pod-template-hash: 55c84b59bb
  egress:
    - name: egress1
      action: Allow
      ports:
        - portNumber:
            protocol: TCP
            port: 8080
      to:
        - networks:
            - 10.1.1.1/23

BaselineAdminNetworkpolicy:

# default.yaml
apiVersion: policy.networking.k8s.io/v1alpha1
kind: BaselineAdminNetworkPolicy
metadata:
  name: default
spec:
  subject:
    pods:
      namespaceSelector:
        matchLabels: {}
      podSelector:
        matchLabels:
          pod-template-hash: 55c84b59bb
  ingress:
    - name: ingress1
      action: Allow
      ports:
        - portNumber:
            protocol: TCP
            port: 8888
      from:
        - pods:
            namespaceSelector:
              matchLabels: {}
            podSelector:
              matchLabels:
                pod-template-hash: 55f66dd67d
  egress:
    - name: egress1
      action: Allow
      ports:
        - portNumber:
            protocol: TCP
            port: 8080
      to:
        - networks:
            - 3.3.3.3/23

#Creating AdminNetworkPolicy or BaselineAdminNetworkPolicy by using the web console

1. Go to Platform Management.

2. In the left navigation bar, click Network > Cluster Network Policies.

3. Click Create Admin Network Policies or Configure the Baseline Admin Network Policy.

4. Follow the instructions below to complete the relevant configuration.

   Area	Parameter		Description
   Basic Information	Name		The name of the Admin Network Policy or Baseline Admin Network Policy.
   	Priority		Determines the order in which policies are evaluated and applied. Lower numerical values indicate higher priority. Note: The baseline admin network policy does not have a priority.
   Target Pod	Namespace Selector		Enter the labels of the target Namespaces in key-value form. If not set, the policy will apply to all Namespaces in the current cluster. When specified, the policy will only apply to pods within the namespaces that match these selectors.
   	Preview of Target Pods Affected by Current Policy		Click Preview to see the target Pods affected by this network policy.
   	Pod Selector		Enter the labels of the target Pods in key-value form. If not set, the policy will apply to all Pods in the current namespace.
   	Preview of Target Pods Affected by Current Policy		Click Preview to see the target Pods affected by this network policy.
   Ingress	Traffic Action		Specifies how to handle incoming traffic to target Pods. Has three modes: Allow (permits traffic), Deny (blocks traffic), and Pass (skips all lower-priority admin network policies, allowing the traffic to be handled by Network Policy, or if no Network Policy exists, by Baseline Admin Network Policy). Note: The baseline admin network policy does not have action Pass.
   	Rule Description: If multiple sources are added in the rule, there is a logical OR relationship between them.	Pod Selector	Matches namespaces or Pods with specified labels in the cluster; only matching Pods can access the target Pod. You can click Preview to see the Pods affected by the current rule. If both namespace and Pod selectors are configured, their intersection will be taken, meaning Pods with specified labels will be selected from the specified namespaces. If this item is not configured, all Pods in all namespaces in the cluster can access the target Pod by default.
   		Namespace Selector	Matches Pods with specified labels in the current namespace; only matching Pods can access the target Pod. You can click Preview to see the Pods affected by the current rule. If this item is not configured, all Pods in the current namespace are allowed to access the target Pod by default.
   	Ports		Matches traffic on specified protocols and ports; you can add numeric ports or port names on Pods. If this item is not configured, all ports will be matched.
   Egress	Rule Description: If multiple sources are added in the rule, there is a logical OR relationship between them.	Node Selector	Specifies which node IPs the target Pods are allowed to access. You can select nodes by their labels to control which node IPs are accessible from the Pods.
   		IP Range	Specify CIDR ranges that target Pods are allowed to connect to. If this item is not configured, target Pods can connect to any IP by default.
   		Other Parameters	Similar to the Ingress parameters, with the same configuration options and behavior.

#Creating AdminNetworkPolicy or BaselineAdminNetworkPolicy by using the CLI

kubectl apply -f example-anp.yaml -f default.yaml

#Additional resource

• Configure Cluster Network Policies