You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/reference/intents-operator/README.mdx
+7-7Lines changed: 7 additions & 7 deletions
Original file line number
Diff line number
Diff line change
@@ -42,9 +42,9 @@ pod.
42
42
43
43
Learn more: [Network policies deep dive](/features/network-mapping-network-policies/reference/Network-Policies-Deep-Dive)
44
44
45
-
### Handling Third Party Network Policies
46
-
Otterize automate network policies that enables third party traffic.
47
-
Current supported thirds parties are[external traffic](#Handling external traffic) and [Prometheus traffic](#Handling Prometheus traffic).
45
+
### Handling Third Party or Infrastructure traffic
46
+
Otterize automates network policies that enables third party or infrastructure traffic.
47
+
Otterize can currently automatically handle[external traffic](#Handling external traffic) as well as [Prometheus monitoring traffic](#Handling Prometheus traffic).
48
48
49
49
#### Handling external traffic
50
50
The intents operator has automatic behavior for allowing external traffic for pods which have indicated that they are supposed to accept external traffic, such as by creating a `Service` of type `NodePort` or `LoadBalancer`, or an `Ingress` resource.
@@ -64,14 +64,14 @@ As the intents operator creates network policies, and the semantics of network p
64
64
1. if no network policies apply to a pod, then all traffic is allowed.
65
65
2. once any network policy applies to a pod, only the traffic explicitly allowed in the policy is allowed
66
66
67
-
This meant that if you had no network policies on a pod, and created ClientIntents for that pod, then Prometheus scraping would be blocked. To make it easy to enable Prometheus metrics scraping, the intents operator automatically detects resources with `prometheus.io/scrape: "true"` annotation, and if it creates the first network policy to affect those pods, it also creates a network policy that allows Prometheus scraping.
67
+
This meant that if you had no network policies on a pod, and created ClientIntents for that pod, then Prometheus scraping would be blocked. To make it easy to enable traffic for Prometheus metrics scraping, the intents operator automatically detects resources with `prometheus.io/scrape: "true"` annotation, and if it creates the first network policy to affect those pods, it also creates a network policy that allows Prometheus scraping.
68
68
69
69
For this feature to work, you must set `prometheusServerConfigs` in the Helm chart, so Otterize would be able to identify the Prometheus server in the cluster.
70
70
71
-
This behavior can be disabled using the Helm chart's values - `automateThirdPartyNetworkPolicies` or not setting `prometheusServerConfigs`.
71
+
This behavior can be disabled using the Helm chart's values - `automateThirdPartyNetworkPolicies`, or to only disable Prometheus, make sure `prometheusServerConfigs` is not set.
72
72
73
-
**Note**: If you haven't specified `prometheus.io/port` in the pod or service, Otterize will allow all the ports this workload expose.
74
-
Consider specifying `prometheus.io/port` to allow only the port you want to expose.
73
+
**Note**: If you haven't specified `prometheus.io/port` in the pod or service, Otterize will match Prometheus' behavior by allowing all ports.
74
+
To improve security, specify `prometheus.io/port` to require Prometheus to only connect to that port. Otterize will the only allow access to that port.
75
75
76
76
### AWS IAM
77
77
The intents operator enables automatic management of AWS IAM roles and policies according to the
Copy file name to clipboardExpand all lines: docs/reference/otterize-chart/README.mdx
+2-2Lines changed: 2 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -71,8 +71,8 @@ Further information about intents-operator parameters can be found [in the inten
71
71
|`intentsOperator.operator.enableEgressNetworkPolicyCreation`| Whether the operator should create *egress* network policies according to `ClientIntents`. |`false`|
72
72
|`intentsOperator.operator.enableKafkaACLCreation`| Whether the operator should create Kafka ACL rules according to `ClientIntents` of type Kafka. |`true`|
73
73
|`intentsOperator.operator.enableIstioPolicyCreation`| Whether the operator should create Istio authorization policies according to `ClientIntents`. |`true`|
74
-
|`operator.automateThirdPartyNetworkPolicies`| Automatically creates network policies to allow required traffic from load balancers, reverse proxies, and Prometheus by tracking Service and Ingress resources, as well as Prometheus scrape annotations. To enable Prometheus metrics scraping traffic, `prometheusServerConfigs` must be set as well|`ifBlockedByOtterize`|
75
-
|`operator.prometheusServerConfigs`|Restricts the automatically created network policies for Prometheus metrics scraping to only originate from Prometheus server. A list of objects with keys `name`, `namespace` and `kind`, such as `Deployment`.|`(none)`|
74
+
|`operator.automateThirdPartyNetworkPolicies`| Automatically creates network policies to allow required traffic from load balancers, reverse proxies, and Prometheus by tracking Service and Ingress resources, as well as `prometheus.io/scrape` annotations. To enable Prometheus metrics scraping traffic, `prometheusServerConfigs` must be set |`ifBlockedByOtterize`|
75
+
|`operator.prometheusServerConfigs`|Specifies where the Prometheus pods are. Required for Otterize to automatically allow access for Prometheus to pods that request monitoring. A list of objects with keys `name`, `namespace` and `kind`, such as `Deployment`. |`(none)`|
76
76
|`intentsOperator.operator.ingressControllerConfigs`| Restricts the automatically created external traffic network policies to only allow access to an ingress controller within the cluster. Only relevant if you use an in-cluster ingress controller, such as nginx or HAProxy. A list of objects with keys `name`, `namespace` and `kind`, such as `ingress-nginx-controller`, `nginx` and `Deployment`. |`(none)`|
77
77
|`intentsOperator.operator.ingressControllerAWSALBExempt`| If set to true, the operator will allow all traffic if an Ingress is managed by the AWS ALB Ingress Controller. |`false`|
0 commit comments