(Advanced) Create Cross-Scope Policies
This procedure describes the advanced method of creating cross-scope policies (policies in which consumer and provider are in different scopes.) It applies to both manually created policies and automatically discovered policies.
This method requires two policies for each consumer-provider pair, because both ends of the conversation must allow the conversation to happen:
-
A policy in the consumer's scope must allow conversations with the provider,
and
-
A policy in the provider's scope must allow conversations with the consumer.
This procedure includes the steps that must be taken by the owner of each scope in order to create cross-scope policies. If your access privileges allow you to modify both scopes, you can perform all steps.
Before you begin
-
Consider simpler options for handling cross-scope traffic. See When Consumer and Provider Are in Different Scopes: Policy Options.
-
Policies using this method must be created in the primary workspace of both consumer and provider.
If the provider scope to be specified in the policy does not yet have a primary workspace, create it before creating cross-scope policies using this method.
-
The policies must have ALLOW action in order for policy requests to be created.
-
For some additional details related to these requirements, see Policy Requests.
-
(Optional) Consider options for automatic handling of cross-scope policy requests. See Automate Handling of Cross-Scope Policy Requests.
-
(Optional) If you want cross-scope policies to apply only to the workloads in a cluster within the consumer or provider scope, and not to the entire scope, see Convert a Cluster to an Inventory Filter. Clusters cannot be used in cross-scope policies created using this procedure.
If you are discovering policies automatically, see also External Dependencies and Fine-Tune External Dependencies for a Workspace.
Procedure
| 1 |
In the consumer's primary workspace, create the desired policy, either manually or using automatic policy discovery. For each cross-scope policy created, a policy request will automatically be created for the provider. To view the policy requests, see Viewing, Accepting, and Rejecting Policy Requests. Note: If an existing policy in the provider application’s workspace matches this traffic, a new policy is not needed and a request is not created. This situation is indicated as described in Resolved Policy Requests. |
| 2 |
You (or the owner of the provider application) must respond to each policy request: See Viewing, Accepting, and Rejecting Policy Requests. Accepting a policy request automatically creates the required policy in the primary workspace of the provider, allowing traffic between the two applications. If you do not want to allow traffic from the requesting application, reject the request. |
| 3 |
(Optional) If you are automatically discovering policies, you may want to Fine-Tune External Dependencies for a Workspace. |
| 4 |
Review and analyze both primary workspaces. |
What to do next
When you are ready to enforce these policies, you must enforce both primary workspaces.