Egress access control tutorial

docs/features/network-mapping-network-policies/reference/README.mdx

@@ -1,10 +1,10 @@
 ---
 sidebar_position: 3
 title: Reference
-hide_table_of_contents: true
+hide_table_of_contents: false
 ---
 
-### ClientIntents example (YAML)
+## ClientIntents example (YAML)
 
 ```yaml
 apiVersion: k8s.otterize.com/v1alpha3
@@ -28,8 +28,22 @@ spec:
           methods: [ get, post ]
 ```
 
+#### ClientIntents and DNS values
 
-### Helm Chart options
+When a ClientIntent is specified utilizing DNS identifiers, such as domain names, it initiates a sequence of operations to integrate the relevant IP addresses into the respective NetworkPolicies.
+
+1. The Network Mapper incorporates a DNS cache layer, which identifies and archives all resolved DNS records alongside their corresponding IPv4 and IPv6 IP addresses.
+2. Without a ClientIntent associated with the given domain or its related IP addresses, Otterize will propose a policy tailored to the observed traffic.
+3. Upon the application of a ClientIntent with a domain name present in the cache, the NetworkMapper dynamically updates the intent’s `status` section at one-second intervals with any newly identified IP addresses. It is important to note that Otterize retains all previously identified IP addresses to ensure backward compatibility.
+4. The Intents Operator reviews changes within the `status` section and amends the associated NetworkPolicy to include these newly discovered IP addresses.
+
+
+
+
+
+
+
+## Helm Chart options
 
 | Key                                     | Description                                                                                                                           | Default |
 |-----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|---------|
@@ -39,12 +53,12 @@ spec:
 
 View the [Helm chart reference](/reference/configuration/otterize-chart) for all other options
 
-### Network mapper parameters
+## Network mapper parameters
 All configurable parameters of the network mapper can be configured under the alias `networkMapper`.
 Further information about network mapper parameters can be found [in the network mapper's chart](https://github.com/otterize/helm-charts/tree/main/network-mapper).
 
 
-### CLI: Network mapper commands
+## CLI: Network mapper commands
 
 All `otterize network-mapper` commands share a set of optional flags which will not be repeated in the documentation
 for each command.

package.json

@@ -30,7 +30,7 @@
     "react": "^17.0.2",
     "react-dom": "^17.0.2",
     "react-loadable": "^5.5.0",
-    "vercel": "^33.4.0"
+    "vercel": "^33.5.4"
   },
   "devDependencies": {
     "@docusaurus/module-type-aliases": "^2.4.3",

static/code-examples/egress-access-control/all.yaml

@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: otterize-tutorial-egress-access
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend
+  namespace:  otterize-tutorial-egress-access
+spec:
+  selector:
+    matchLabels:
+      app: frontend
+  template:
+    metadata:
+      labels:
+        app: frontend
+    spec:
+      containers:
+        - name: frontend
+          imagePullPolicy: Always
+          image: 'otterize/egress-tutorial-frontend'
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend
+  namespace:  otterize-tutorial-egress-access
+spec:
+  selector:
+    matchLabels:
+      app: backend
+  template:
+    metadata:
+      labels:
+        app: backend
+    spec:
+      containers:
+        - name: backend
+          imagePullPolicy: Always
+          image: 'otterize/egress-tutorial-backend'
+          ports:
+            - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend
+  namespace: otterize-tutorial-egress-access
+spec:
+  selector:
+    app: backend
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 8080

static/code-examples/egress-access-control/default-deny-policy.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  - Ingress
+  egress:
+      - ports:
+        - protocol: UDP
+          port: 53

static/code-examples/egress-access-control/dns-enabled-npol.yaml

@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-dns-access
+spec:
+  egress:
+    - ports:
+        - port: 53
+          protocol: UDP
+      to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+  podSelector:
+    matchExpressions:
+      - key: intents.otterize.com/service
+        operator: Exists
+  policyTypes:
+    - Egress

static/code-examples/egress-access-control/domain-intents.yaml

@@ -0,0 +1,26 @@
+apiVersion: k8s.otterize.com/v1alpha3
+kind: ClientIntents
+metadata:
+  name: frontend
+  namespace:  otterize-tutorial-egress-access
+spec:
+  service:
+    name: frontend
+  calls:
+    - name: backend
+---
+apiVersion: k8s.otterize.com/v1alpha3
+kind: ClientIntents
+metadata:
+  name: backend
+  namespace: otterize-tutorial-egress-access
+spec:
+  service:
+    name: backend
+  calls:
+    - type: internet
+      internet:
+        domains:
+          # Domain name for our advice service
+          - api.adviceslip.com
+    - name: frontend

static/code-examples/egress-access-control/intents-no-external-api.yaml

@@ -0,0 +1,21 @@
+apiVersion: k8s.otterize.com/v1alpha3
+kind: ClientIntents
+metadata:
+  name: frontend
+  namespace:  otterize-tutorial-egress-access
+spec:
+  service:
+    name: frontend
+  calls:
+    - name: backend
+---
+apiVersion: k8s.otterize.com/v1alpha3
+kind: ClientIntents
+metadata:
+  name: backend
+  namespace: otterize-tutorial-egress-access
+spec:
+  service:
+    name: backend
+  calls:
+    - name: frontend

static/code-examples/egress-access-control/intents.yaml

@@ -0,0 +1,25 @@
+apiVersion: k8s.otterize.com/v1alpha3
+kind: ClientIntents
+metadata:
+  name: frontend
+  namespace:  otterize-tutorial-egress-access
+spec:
+  service:
+    name: frontend
+  calls:
+    - name: backend
+---
+apiVersion: k8s.otterize.com/v1alpha3
+kind: ClientIntents
+metadata:
+  name: backend
+  namespace: otterize-tutorial-egress-access
+spec:
+  service:
+    name: backend
+  calls:
+    - type: internet
+      internet:
+        ips:
+          - 185.53.57.80 # IP address of our external aPI
+    - name: frontend

yarn.lock

@@ -8841,7 +8841,7 @@ vary@~1.1.2:
   resolved "https://registry.yarnpkg.com/vary/-/vary-1.1.2.tgz#2299f02c6ded30d4a5961b0b9f74524a18f634fc"
   integrity sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==
 
-vercel@^33.4.0:
+vercel@^33.5.4:
   version "33.5.5"
   resolved "https://registry.yarnpkg.com/vercel/-/vercel-33.5.5.tgz#77848b78d7535d436ecd884b61a2910709a677cf"
   integrity sha512-MsuUq6JCPGtRhrzHQ2MVRh8bxNkhVWDaYGPk3LGSEWKbJ0dkB1ic97s5uMEBSsp6QgUB8ZaGuosPDTDGgmPxXw==