Overview
Tenet is a Kubernetes controller that aims to facilitate setting-up Network Policies on tenant namespaces.
It is designed to work in conjunction with Cilium Network Policies and Accurate.
Motivation
To enhance the security without sacrificing convenience, we want to provide default network policies for tenants to consume. For instance, we want egress communications to be disabled by default in tenant namespaces. Tenants should be able to add exceptions to fit the needs of their workflows while being prevented from adding exceptions that are too broad, i.e. grant access to node resources.
Features
- Allow cluster administrators to provide network policy templates tenants can opt into
- currently
CiliumNetworkPolicyandCiliumClusterwideNetworkPolicytemplates are supported
- currently
- Automatically generate network policies on namespaces that opt into them
- when used in conjunction with
Accurate, resource generation is also performed on SubNamespaces
- when used in conjunction with
- Allow cluster administrators to place restrictions on the expressivity of network policies
- currently only IP address restrictions are supported