Network Policy Recommendations

[wallrj]

Preview: https://deploy-preview-1344--cert-manager-website.netlify.app/docs/installation/best-practice/#network-policy

I've tried to document all the network interactions of a typical cert-manager installation. I've also added some (incomplete) Calico examples, but I'm not sure whether those make the document rather unreadable. I'm inclined to remove the Calico examples for brevity. I removed the Calico examples.

Fixes: #2334

• https://github.com/cert-manager/cert-manager/issues/2334

xref:

• https://github.com/cert-manager/cert-manager/issues/5787
• https://github.com/cert-manager/cert-manager/pull/5417
• https://github.com/cert-manager/cert-manager/pull/3921

[netlify[bot]]

✅ Deploy Preview for cert-manager-website ready!

Name	Link
🔨 Latest commit	a6fb75d3e100e7bd317ebaa592187107b1342d80
🔍 Latest deploy log	https://app.netlify.com/sites/cert-manager-website/deploys/6554969494033f0008455762
😎 Deploy Preview	https://deploy-preview-1344--cert-manager-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[tspearconquest]

This is great, however given that kind: NetworkPolicy exists in different API groups with different specs depending on which CNI you use, it would be great if the documentation could also include examples for multiple common CNIs like Azure and EKS (in addition to Calico).

[wallrj]

it would be great if the documentation could also include examples for multiple common CNIs like Azure and EKS (in addition to Calico).

I'm dropping the Calico examples for now. There will only be an overview of network requirements and I will leave it to the reader to figure out the configuration for their chosen CNI.

[hawksight]

/lgtm

[jetstack-bot]

@hawksight: adding LGTM is restricted to approvers and reviewers in OWNERS files.

In response to [this](https://github.com/cert-manager/website/pull/1344#issuecomment-1812289642): >/lgtm Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[hawksight]

it would be great if the documentation could also include examples for multiple common CNIs like Azure and EKS (in addition to Calico).

I'm dropping the Calico examples for now. There will only be an overview of network requirements and I will leave it to the reader to figure out the configuration for their chosen CNI.

I think this is a good decision for now allowing users to implement their own best practice NetworkPolicy within their current setups. The docs should help them to work out what is needed. I must admit I don't enjoy working with NetworkPolicy and there seems to be a couple of issues that are maybe outside the scope of just cert-manager.

• default deny across cluster (does it include DNS?)
• Policy to contact k8s api-server... but what if the api-server is outside of the cluster (GKE)

Perhaps the community has some good examples or comments on these that we ca use to improve later on.

[inteon]

/approve /lgtm Based on feedback from @wallrj and @hawksight

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hawksight, inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/cert-manager/website/blob/master/OWNERS)~~ [inteon] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment