Merge pull request #106 from gfsuse/main

docs for NVSHAS-8325, Namespace Boundary Enforcement(NBE)
neuvector · Aug 20, 2024 · 084e9f3 · 084e9f3
2 parents 849dfe7 + 970d20d
commit 084e9f3
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -14,6 +14,7 @@
 .env.development.local
 .env.test.local
 .env.production.local
+docs.code-workspace
 
 npm-debug.log*
 yarn-debug.log*

diff --git a/docs/05.policy/14.namespaceboundary/14.namespaceboundary.md b/docs/05.policy/14.namespaceboundary/14.namespaceboundary.md
@@ -0,0 +1,28 @@
+---
+title: Namespace Boundary Enforcement
+taxonomy:
+    category: docs
+slug: /policy/namespaceboundary
+---
+
+### Policy: Namespace Boundary Enforcement
+
+Customer made request to policy ingress/egress traffic on namespace’s natural boundary. 
+eg.)
+There are 2 namespaces ns1, ns2, 
+in ns1 there are pod1 and pod2,
+in ns2 there are pod3 and pod4
+g1 is created using "label=app1" which includes pod1 and pod3
+g2 is created using "label=app2" which includes pod2 and pod4
+network policy: from g1 to g2 app HTTPS port any action allow
+with namespace boundary enforcement only pod1 can talk to pod2 but not pod1 to pod4, pod3 to pod4 but not pod3 to pod2, it saves user from creating additional rules to realize this restriction.
+
+<strong>Use label to enable/disable namespace boundary enforcement</strong>
+
++ **Add label to enable NBE**
+> kubectl label namespace <namespace> NeuvectorNamespaceBoundary=enabled
+
++ **Remove or change label to disable NBE**
+> kubectl label namespace <namespace> NeuvectorNamespaceBoundary-
+or
+kubectl label namespace <namespace> NeuvectorNamespaceBoundary=disabled