Group Tag Association Policies#
Micro Segmentation → APAssociation Policies
An AssociationPolicy associates one or more Group Tags to one or more network resources or associationTargets. The policy consists of entries allowing to group multiple associations between Group Tags and associationTargets in a single policy.
Possible associationTargets include:
These resources can be selected by name or using their corresponding label selectors.
For example: a policy entry could associate the Quarantine GroupTag with all BridgeInterfaces with the label "eda.nokia.com/security=quarantine".
Group Tags can not be associated with network resources from in the underlay
Group Tags are not supported on DefaultInterfaces.
Dependencies#
An AssociationPolicy associates GroupTags to associationTargets.
One or more GroupTags are required to create an AssociationPolicy.
One or more associationTargets are required to create an AssociationPolicy.
Referenced resources#
There are no references to other resources.
Examples#
apiVersion: microsegmentation.eda.nokia.com/v1alpha1
kind: AssociationPolicy
metadata:
name: client-group-associations
namespace: eda
spec:
associationPolicyEntries:
- associationTargets:
bridgeInterfaceSelectors:
- eda.nokia.com/groupinfo = client-group1
groupTagNames:
- client-group1
- associationTargets:
bridgeInterfaces:
- leaf1-client2
groupTagNames:
- client-group2
- associationTargets:
bridgeInterfaceSelectors:
- label eda.nokia.com/security = quarantine
groupTagNames:
- quarantine
cat << 'EOF' | kubectl apply -f -
apiVersion: microsegmentation.eda.nokia.com/v1alpha1
kind: AssociationPolicy
metadata:
name: client-group-associations
namespace: eda
spec:
associationPolicyEntries:
- associationTargets:
bridgeInterfaceSelectors:
- eda.nokia.com/groupinfo = client-group1
groupTagNames:
- client-group1
- associationTargets:
bridgeInterfaces:
- leaf1-client2
groupTagNames:
- client-group2
- associationTargets:
bridgeInterfaceSelectors:
- label eda.nokia.com/security = quarantine
groupTagNames:
- quarantine
EOF
Custom Resource Definition#
To browse the Custom Resource Definition go to crd.eda.dev.
AssociationPolicy
SPEC
An Association Policy is used to apply Group Tags to interfaces or static routes.
-
-
An Association Policy Entry defines the association of a Group Tag to a set of Routed or Bridged interfaces, or static routes.
-
The interfaces and static routes to which the Group Tag gets associated.
-
Label selector to select BridgeInterfaces on which to assign the Group Tag.
-
The Bridge Interfaces on which to assign the Group Tag.
-
Label selector used to select IRB Interfaces on which to assign the Group Tag.
-
The IRB Interfaces on which to assign the Group Tag.
-
Label selector to select Routed Interfaces on which to assign the Group Tag.
-
The Routed Interfaces on which to assign the Group Tag.
-
Label selector to select Static Routes on which to assign the Group Tag. Static routes only get enforced in L3 services.
-
The StaticRoutes on which to assign the Group Tag. Static routes only get enforced in L3 services.
-
Label selector to select VLANs on which to assign the Group Tag.
-
The VLANs on which to assign the Group Tag.
-
-
The Group Tag to be associated with the below interfaces or static routes.
-
-
STATUS
AssociationPolicyStatus defines the observed state of AssociationPolicy