Configure Cluster Network Policies

Cluster network policies are responsible for managing project-level access control rules. When this feature is enabled, different projects are isolated from each other by default, and compute components in different projects cannot access each other over the network. Communication can be achieved by adding single project access or IP segment access rules.

Once configured, the cluster network policies will be synchronized to the namespaces under the cluster, and can be viewed in the Network Policies feature module of the container platform.

Notes

The effectiveness of the cluster network policies depends on whether the network plugin used by the cluster supports network policies.
- Kube-OVN and Calico support network policies.
- Flannel does not support network policies.
- When accessing the cluster or using a custom network plugin, you can refer to the relevant documentation to confirm support.
The functionality is in Alpha maturity under the Kube-OVN network mode.

Steps

Go to Platform Management.
In the left navigation bar, click on Network Management > Cluster Network Policies.
Click Configure Now.

Follow the instructions below to complete the relevant configuration.

Configuration Item	Description
Complete Isolation Between Projects	Whether to enable the complete isolation switch between projects, which is enabled by default and can be turned off by clicking. When enabled, network isolation is achieved between all projects in the current cluster, and other resources are not allowed to access any project within the cluster (e.g., external IPs, load balancers). This does not affect projects' access to resources outside the cluster.
Single Project Access	This parameter is only effective when the Complete Isolation Between Projects switch is enabled. Configure the source project and target project for one-way access. Click Add to add a configuration record, supporting multiple records. In the source project dropdown, select a project that will access the target project or select all projects; in the target project dropdown, select the target project to be accessed.
IP Segment Access	This parameter is only effective when the Complete Isolation Between Projects switch is enabled. Configure the specific IP/segment and target project for one-way access. Click Add to add a configuration record, supporting multiple records. In the source IP segment input box, enter the IP or CIDR segment to access the target project; in the target project dropdown, select the target project to be accessed.

Click Configure.

ON THIS PAGE

How to

Architecture

Concepts

Guides

How To

Trouble Shooting

Concepts

Guides

How To

Troubleshooting

Install

Concepts

Guides

How To

Disaster Recovery

Concepts

Guides

How To

Guides

Compliance

Install

API Refiner

User

Guides

Group

Guides

Role

Guides

IDP

Guides

Troubleshooting

User Policy

Guides

Overview

Images

Guides

How To

Virtual Machine

Guides

How To

Troubleshooting

Network

Guides

How To

Storage

Guides

Backup and Recovery

Guides

Concepts

Guides

Pre-Application Creation Preparation

Creating Applications

Creating Workloads

Actions You Can Take After Creating an Application

Configuring Network

Using Services

Using Ingresses

Using Gateways and Route Rules

Using LoadBalancers

Operation and Maintenance

Catalog

Pod and Container

Pod

Container

How To

Concepts

Guides

How To

Install

Guides

How To

Concepts

Guides

Argo CD Concept

Alauda Container Platform GitOps Concepts

Creating GitOps Application

GitOps Observability

Architecture

Guides

How To