Isovalent Enterprise for Cilium: Network Policies

Achieving zero-trust network connectivity via Kubernetes Network Policy is complex as modern applications have many service dependencies (downstream APIs, databases, authentication services, etc.). With the “default deny” model, a missed dependency leads to a broken application. Moreover, the YAML syntax of Network Policy is often difficult for newcomers to understand. This makes writing policies and understanding their expected behavior (once deployed) challenging.

Enter Isovalent Enterprise for Cilium: it provides tooling to simplify and automate the creation of Network Policy based on labels and DNS-aware data from Cilium Hubble. APIs enable integration into CI/CD workflows while visualizations help teams understand the expected behavior of a given policy. Collectively, these capabilities dramatically reduce the barrier to entry to creating Network Policies and the ongoing overhead of maintaining them as applications evolve.

In this hands-on demo we will walk through some of those challenges and their solutions.


Main steps in the lab

01🚀 Deploying a demo app

Let's deploy the demo app! What are the default connection policies? Where can we connect to?

02🛠️ Create a policy in the Hubble UI

Let's check out the visual representation of the policies

03🛡️ Enforce and test new policy

We created a new policy - let's test it! We can even see the connection drops!

04🆕 Update the network policy based on Hubble flows

So..... how do we update an existing policy to take the connection drops into account?