search

vmware / terraform-provider-nsxt

Terraform VMware NSX-T provider
https://www.terraform.io/docs/providers/nsxt/
Other
123 stars 80 forks source link

Apply security policy to Antrea Container Clusters #1230

Open kumarm2024 opened 1 month ago

kumarm2024 commented 1 month ago

Is your feature request related to a problem? Please describe.

I wanted to apply security policy to Antrea Container Cluster. At present there is no option available to apply this by using terraform.

Describe the solution you'd like

There should be option to apply security policy to Container Cluster. At the moment we can apply security policy to the policy groups using scope argument.

Solution I would like to have, there should be a way where l can define Antrea cluster in the policy scope

Describe alternatives you've considered

No response

Additional context

No response

annakhm commented 1 month ago

Hello @kumarm2024, in the group resource, you have the option to define member_type arguments that are specific to Kubernetes and Antrea: https://registry.terraform.io/providers/vmware/nsxt/latest/docs/resources/policy_group#member_type Would this satisfy your ask or is there anything else missing?

kumarm2024 commented 1 month ago

@annakhm thanks for reply, I guess you are taking about "policy group" resource which I know we can create Antrea group with the "member_type" argument. My question is how we going to create security policy resource which will target to Antrea Cluster itself:

So I was talking about "nsxt_policy_security_policy" resource. What to define in "scope" argument so that it apply to Antrea Container Cluster (Rather than group) - I want to target Antrea Container Cluster not group image

Let me give you example:

I have created two group group1 and group2 as below : resource "nsxt_policy_group" "group1" { display_name = "group1" description = "Terraform provisioned Group" group_type = "ANTREA"

criteria { condition { key = "Name" member_type = "Namespace" operator = "EQUALS" value = "test1" } } }

resource "nsxt_policy_group" "group2" { display_name = "group2" description = "Terraform provisioned Group" group_type = "ANTREA"

criteria { condition { key = "Name" member_type = "Namespace" operator = "EQUALS" value = "test2" } } }

Now I want to create policy and rule which will drop traffic from group1 to group2:

resource "nsxt_policy_security_policy" "test-policy" { display_name = "test-policy" description = "Terraform provisioned Security Policy" category = "Application" locked = false stateful = true tcp_strict = false scope = ?????????????? What to define here so that it apply to Antrea Container Cluster ?

rule { display_name = "drop" source_groups = [nsxt_policy_group1.path] destination_groups = null # empty destination refers to all scope = [nsxt_policy_group2.path] action = "DROP" logged = true } }