This page provides instructions to configure allow-all traffic network policies in Google Distributed Cloud (GDC) air-gapped.
Project network policies define either ingress or egress rules. You can define policies that allow communication within projects, between projects, and with external IP addresses.
Before you begin
To configure allow-all traffic network policies, you must have the following:
- The necessary identity and access roles. For more information, see Prepare predefined roles and access.
- An existing project. For more information, see Create a project.
Create an allow-all traffic policy
This policy allows traffic to and from any source, including other projects and external IP addresses.
Allow all ingress traffic
To allow all incoming traffic from any source to all workloads in your project, create the following policy:
kubectl --kubeconfig GLOBAL_API_SERVER apply -f - <<EOF
apiVersion: networking.global.gdc.goog/v1
kind: ProjectNetworkPolicy
metadata:
namespace: PROJECT
name: allow-all-ingress
spec:
policyType: Ingress
ingress:
- {}
EOF
Allow all egress traffic
To allow all outgoing traffic to any destination from all workloads in your project, create the following policy:
kubectl --kubeconfig GLOBAL_API_SERVER apply -f - <<EOF
apiVersion: networking.global.gdc.goog/v1
kind: ProjectNetworkPolicy
metadata:
namespace: PROJECT
name: allow-all-egress
spec:
policyType: Egress
egress:
- {}
EOF
Replace the following:
GLOBAL_API_SERVER: the global API server's kubeconfig path. For more information, see Global and zonal API servers. If you have not yet generated a kubeconfig file for the API server, see Sign in for details.PROJECT: the name of the project where you want to allow all traffic.
Create an allow-all-external traffic policy
This policy allows traffic to and from IP addresses external to the organization.
Allow all external ingress traffic
To allow all incoming traffic from external IP addresses to all workloads in a project, create the following policy:
kubectl --kubeconfig GLOBAL_API_SERVER apply -f - <<EOF
apiVersion: networking.global.gdc.goog/v1
kind: ProjectNetworkPolicy
metadata:
namespace: PROJECT
name: allow-all-external-ingress
spec:
policyType: Ingress
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
EOF
Allow all external egress traffic
To allow all outgoing traffic from all workloads in your project to external IP addresses, create the following policy:
kubectl --kubeconfig GLOBAL_API_SERVER apply -f - <<EOF
apiVersion: networking.global.gdc.goog/v1
kind: ProjectNetworkPolicy
metadata:
namespace: PROJECT
name: allow-all-external-egress
spec:
policyType: Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
EOF
Replace the following:
GLOBAL_API_SERVER: the global API server's kubeconfig path. For more information, see Global and zonal API servers. If you have not yet generated a kubeconfig file for the API server, see Sign in for details.PROJECT: the name of the project where you want to allow all external traffic.
Create an allow-all-projects traffic policy
This policy allows traffic to and from all projects within the organization.
Allow all projects ingress traffic
To allow incoming traffic from all projects to all workloads in your project, create the following policy:
kubectl --kubeconfig GLOBAL_API_SERVER apply -f - <<EOF
apiVersion: networking.global.gdc.goog/v1
kind: ProjectNetworkPolicy
metadata:
namespace: PROJECT
name: allow-all-projects-ingress
spec:
policyType: Ingress
ingress:
- from:
- projectSelector: {}
EOF
Allow all projects egress traffic
To allow outgoing traffic from all workloads in your project to all projects, create the following policy:
kubectl --kubeconfig GLOBAL_API_SERVER apply -f - <<EOF
apiVersion: networking.global.gdc.goog/v1
kind: ProjectNetworkPolicy
metadata:
namespace: PROJECT
name: allow-all-projects-egress
spec:
policyType: Egress
egress:
- to:
- projectSelector: {}
EOF
Replace the following:
GLOBAL_API_SERVER: the global API server's kubeconfig path. For more information, see Global and zonal API servers. If you have not yet generated a kubeconfig file for the API server, see Sign in for details.PROJECT: the name of the project where you want to allow all projects traffic.