From e98d360f4641a4b3777c4e19dfa9d87a1e08574a Mon Sep 17 00:00:00 2001 From: "M. Essam" Date: Thu, 24 Apr 2025 20:47:15 +0200 Subject: [PATCH] Update kubernetes-operator helm and generated policies docs (#310) --- src/pages/how-to/kubernetes-operator.mdx | 47 +++++++++++++++++------- 1 file changed, 33 insertions(+), 14 deletions(-) diff --git a/src/pages/how-to/kubernetes-operator.mdx b/src/pages/how-to/kubernetes-operator.mdx index 22f4cb85..fd709315 100644 --- a/src/pages/how-to/kubernetes-operator.mdx +++ b/src/pages/how-to/kubernetes-operator.mdx @@ -16,13 +16,10 @@ seamlessly access your Kubernetes services and control plane from your NetBird n - Access to a Kubernetes v1.11.3+ cluster. - (Recommended) Cert Manager. -### Installation -You have two methods of installing the NetBird Kubernetes operator: using Helm or the install.yaml file. - #### Using Helm 1. Add helm repository. ```shell -helm repo add netbirdio https://netbirdio.github.io/kubernetes-operator +helm repo add netbirdio https://netbirdio.github.io/helms ``` 2. (Recommended) Install [cert-manager](https://cert-manager.io/docs/installation/#default-static-install) for k8s API to communicate with the NetBird operator. ```shell @@ -77,16 +74,6 @@ The configuration or version update of the operator can be done with `helm upgra helm upgrade --create-namespace -f values.yaml -n netbird netbird-operator netbirdio/kubernetes-operator ``` -#### Using install.yaml - -install.yaml only includes a very basic template for deploying a stripped-down version of Kubernetes-operator. -This option does not include any configurations for ingress capabilities and requires the cert-manager to be installed. - - -```shell -kubectl create namespace netbird -kubectl apply -n netbird -f https://raw.githubusercontent.com/netbirdio/kubernetes-operator/refs/heads/main/manifests/install.yaml -``` ## Expose Kubernetes Control Plane to your NetBird Network To access your Kubernetes control plane from a NetBird network, you can expose your Kubernetes control plane as a [NetBird resource](/how-to/networks#resources) by enabling the following option in the operator values: @@ -231,6 +218,38 @@ The operator will create a policy in your management account similar to the one You can reference multiple policy bases using a comma separated list of policy bases: `netbird.io/policy: "app-users,app-admins"` +### Policy auto-creation + +1. Ensure `ingress.allowAutomaticPolicyCreation` is set to true in the Helm chart and apply. +2. Annotate a service with `netbird.io/policy` with the name of the policy as a kubernetes object, for example `netbird.io/policy: default`. This will create an NBPolicy with the name `default--`. +3. Annotate the same service with `netbird.io/policy-source-groups` with a comma-separated list of group names to allow as a source, for example `netbird.io/policy-source-groups: dev`. +4. (Optional) Annotate the service with `netbird.io/policy-name` for a human-friendly name, for example `netbird.io/policy-name: "default:Default policy for kubernetes cluster"`. +Example: +```yaml +apiVersion: v1 +kind: Service +metadata: + name: app + annotations: + netbird.io/expose: "true" + netbird.io/groups: "app-access" + netbird.io/policy: "app-users" + netbird.io/policy-source-groups: "dev" + netbird.io/policy-name: "dev:Developers to app" +spec: + selector: + app: app + ports: + - protocol: TCP + port: 8080 + targetPort: 80 + type: ClusterIP +``` + + + If a policy already exists with the name specified in `netbird.io/policy`, the other settings will be ignored in favor of the existing policy. + + ## Accessing Remote Services Using Sidecars To access services running in different locations from your Kubernetes clusters, you can deploy NetBird sidecars—additional containers that run alongside your Kubernetes service containers within the same pod.