access-policies

frodesundby · frodesundby · commit 579f925b69b6 · 2024-02-06T14:36:28.000+01:00
diff --git a/docs/explanation/zero-trust.md b/docs/explanation/zero-trust.md
@@ -38,3 +38,5 @@ spec:
 ![access-policy-3](../assets/access-policy-3.png)
 
 Now that both applications has explicitly declared their policies, the communication is allowed.
+
+See more about [how to define access policies](../how-to-guides/access-policies.md)
diff --git a/docs/how-to-guides/access-policies.md b/docs/how-to-guides/access-policies.md
@@ -0,0 +1,187 @@
+# Access policies
+
+This guide will show you how to define [access policies](../explanation/zero-trust.md) for your [workload](../explanation/workloads/README.md).
+
+## Receive requests from workloads in the same namespace
+
+For app `<MY-APP>` to be able to receive incoming requests from `<MY-OTHER-APP>` in the same namespace, this specification is needed for `<MY-APP>`:
+
+=== "app.yaml"
+
+    ```yaml
+    apiVersion: "nais.io/v1alpha1"
+    kind: "Application"
+    metadata:
+      name: <MY-APP>
+    ...
+    spec:
+      ...
+      accessPolicy:
+        inbound:
+          rules:
+            - application: <MY-OTHER-APP>
+    ```
+
+=== "visualization"
+
+    ```mermaid
+    graph LR
+      accTitle: Receive requests from other workload in the same namespace
+      accDescr: The diagram shows two applications in the same namespace, MY-APP and MY-OTHER-APP. Application MY-APP is allowed to receive requests from MY-OTHER-APP.
+
+      MY-OTHER-APP--"✅"-->MY-APP
+
+      subgraph namespace
+        MY-OTHER-APP
+        MY-APP
+      end
+    ```
+
+## Receive requests from workloads in other namespaces
+
+For app `<MY-APP>` to be able to receive incoming requests from `<ANOTHER-APP>` in `<ANOTHER-NAMESPACE>`, this specification is needed for `<MY-APP>`:
+
+=== "app.yaml"
+
+    ```yaml
+    apiVersion: "nais.io/v1alpha1"
+    kind: "Application"
+    metadata:
+      name: <MY-APP>
+    ...
+    spec:
+      ...
+      accessPolicy:
+        inbound:
+          rules:
+            - application: <ANOTHER-APP>
+              namespace: <ANOTHER-NAMESPACE>
+    ```
+
+=== "visualization"
+
+    ```mermaid
+    graph LR
+      accTitle: Receive requests from other app in the another namespace
+      accDescr: The diagram shows two applications in different namespaces, <MY-APP and ANOTHER-APP. Application MY-APP is allowing requests from ANOTHER-APP.
+
+      ANOTHER-APP--"✅"-->MY-APP
+
+      subgraph namespace
+        MY-APP
+      end
+
+      subgraph another-namespace
+        ANOTHER-APP
+      end
+    ```
+
+## Send requests to another app in the same namespace
+
+For app `MY-APP` to be able to send requests to `<MY-OTHER-APP>` in the same namespace, this specification is needed for `<MY-APP`:
+
+=== "nais.yaml"
+
+    ```yaml
+    apiVersion: "nais.io/v1alpha1"
+    kind: "Application"
+    metadata:
+      name: <MY-APP>
+    ...
+    spec:
+      ...
+      accessPolicy:
+        outbound:
+          rules:
+            - application: <MY-OTHER-APP>
+    ```
+
+=== "visualization"
+
+    ```mermaid
+    graph LR
+      accTitle: Send requests to other app in the same namespace
+      accDescr: The diagram shows two applications in the same namespace, MY-APP and MY-OTHER-APP. Application MY-APP is allowed to send requests to MY-OTHER-APP.
+
+      MY-APP--"✅"-->MY-OTHER-APP
+
+      subgraph mynamespace
+        MY-APP
+        MY-OTHER-APP
+      end
+    ```
+
+## Send requests to other app in the another namespace
+
+For app `<MY-APP>` to be able to send requests to `<ANOTHER-APP>` in `<ANOTHER-NAMESPACE>`, this specification is needed for `<MY-APP>`:
+
+=== "nais.yaml"
+
+    ```yaml
+    apiVersion: "nais.io/v1alpha1"
+    kind: "Application"
+    metadata:
+      name: <MY-APP>
+    ...
+    spec:
+      ...
+      accessPolicy:
+        outbound:
+          rules:
+            - application: <ANOTHER-APP>
+              namespace: <ANOTHER-NAMESPACE>
+    ```
+
+=== "visualization"
+
+    ```mermaid
+    graph LR
+      accTitle: Send requests to other app in another-namespace
+      accDescr: The diagram shows two applications in different namespaces, MY-APP and ANOTHER. Application MY-APP is allowed to send requests to ANOTHER-APP.
+
+      MY-APP--"✅"-->ANOTHER-APP
+
+      subgraph mynamespace
+        MY-APP
+      end
+
+      subgraph another-namespace
+        ANOTHER-APP
+      end
+    ```
+
+## Send requests to external endpoints
+
+For app `<MY-APP>` to be able to send requests outside of the environment, this specification is needed for `<MY-APP>`:
+
+=== "app.yaml"
+
+    ```yaml
+    apiVersion: "nais.io/v1alpha1"
+    kind: "Application"
+    metadata:
+      name: <MY-APP>
+    ...
+    spec:
+      ...
+      accessPolicy:
+        outbound:
+          external:
+            - host: external-application.com
+    ```
+
+=== "visualization"
+
+    ```mermaid
+    graph LR
+      accTitle: External services
+      accDescr: The diagram shows an application, <MY-APP>, that is allowed to send requests to an external service.
+
+      MY-APP--"✅"-->external-application.com
+
+      subgraph environment
+        subgraph mynamespace
+          MY-APP
+        end
+      end
+    ```
