publicationName [Required]
diff --git a/assets/documentation/1.25/cluster_conf/index.html b/assets/documentation/1.25/cluster_conf/index.html
index a29c6bc26..07713a4a8 100644
--- a/assets/documentation/1.25/cluster_conf/index.html
+++ b/assets/documentation/1.25/cluster_conf/index.html
@@ -286,6 +286,8 @@
Appendixes
diff --git a/assets/documentation/1.25/cncf-projects/cilium/index.html b/assets/documentation/1.25/cncf-projects/cilium/index.html
new file mode 100644
index 000000000..408e8b772
--- /dev/null
+++ b/assets/documentation/1.25/cncf-projects/cilium/index.html
@@ -0,0 +1,593 @@
+
+
+
+
+
+
+
+ Cilium - CloudNativePG v1.25
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ - CNCF Projects Integrations
+ - Cilium
+ -
+
+
+
+
+
+
+
+ Cilium
+ About
+ Cilium is a CNCF Graduated project that was accepted as
+an Incubating project in 2021 and graduated in 2023. It was originally created
+by Isovalent. It is an advanced networking, security, and observability
+solution for cloud native environments, built on top of
+eBPF technology. Cilium manages network traffic in
+Kubernetes clusters by dynamically injecting eBPF programs into the Linux
+Kernel, enabling low-latency, high-performance communication, and enforcing
+fine-grained security policies.
+ Key features of Cilium:
+
+- Advanced L3-L7 security policies for fine-grained network traffic control
+- Efficient, kernel-level traffic management via eBPF
+- Service Mesh integration (Cilium Service Mesh)
+- Support for both Kubernetes NetworkPolicy and CiliumNetworkPolicy
+- Built-in observability and monitoring with Hubble
+
+ To install Cilium in your environment, follow the instructions in the documentation:
+https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/
+ Pod-to-Pod Network Security with CloudNativePG and Cilium
+ Kubernetes’ default behavior is to allow traffic between any two Pods in the cluster network.
+Cilium provides advanced L3/L4 network security using the CiliumNetworkPolicy resource. This
+enables fine-grained control over network traffic between Pods within a Kubernetes cluster. It is
+especially useful for securing communication between application workloads and backend
+services.
+ In the following examples, we demonstrate how Cilium can be used to secure a
+CloudNativePG PostgreSQL instance by restricting ingress traffic to only
+authorized Pods.
+
+ Important
+ Before proceeding, ensure that the cluster-example Postgres cluster is up
+and running in your environment.
+
+ Default Deny Behavior in Cilium
+ By default, Cilium does not deny all traffic unless explicitly configured
+to do so. In contrast to Kubernetes NetworkPolicy, which uses a deny-by-default
+model once a policy is present in a namespace, Cilium provides more flexible
+control over default deny behavior.
+ To enforce a default deny posture with Cilium, you need to explicitly create a
+policy that denies all traffic to a set of Pods unless otherwise allowed. This
+is commonly achieved by using an empty ingress section in combination
+with endpointSelector, or by enabling --enable-default-deny at the
+Cilium agent level for broader enforcement.
+ A minimal example of a default deny policy:
+ apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: default-deny
+ namespace: default
+spec:
+ description: "Default deny all ingress traffic to all Pods in this namespace"
+ endpointSelector: {}
+ ingress: []
+
+ Making Cilium Network Policies work with CloudNativePG Operator
+ When working with a network policy, Cilium or not, the first step is to make
+sure that the operator can reach the Pods in the target namespace. This is
+important because the operator needs to be able to perform checks and actions
+on the Pods, and one of those actions requires access to the port 8000 on the
+Pods to get the current status of the PostgreSQL instance running inside.
+ The following CiliumNetworkPolicy allows the operator to access the Pods in
+the target default namespace:
+ apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: cnpg-operator-access
+ namespace: default
+spec:
+ description: "Allow CloudNativePG operator access to any pod in the target namespace"
+ endpointSelector: {}
+ ingress:
+ - fromEndpoints:
+ - matchLabels:
+ io.kubernetes.pod.namespace: cnpg-system
+ toPorts:
+ - ports:
+ - port: "8000"
+ protocol: TCP
+
+
+ Important
+ The cnpg-system namespace is the default namespace for the operator when
+using the YAML manifests. If the operator was installed using a different
+process (Helm, OLM, etc.), the namespace may be different. Make sure to adjust
+the namespace properly.
+
+ Allowing access between cluster Pods
+ Since the default policy is "deny all", we need to explicitly allow access
+between the cluster Pods in the same namespace. We will improve our previous
+policy by adding the required ingress rule:
+ apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: cnpg-cluster-internal-access
+ namespace: default
+spec:
+ description: "Allow CloudNativePG operator access and connection between pods in the same namespace"
+ endpointSelector: {}
+ ingress:
+ - fromEndpoints:
+ - matchLabels:
+ io.kubernetes.pod.namespace: cnpg-system
+ - matchLabels:
+ io.kubernetes.pod.namespace: default
+ cnpg.io/cluster: cluster-example
+ toPorts:
+ - ports:
+ - port: "8000"
+ protocol: TCP
+ - port: "5432"
+ protocol: TCP
+
+ The policy allows access from cnpg-system Pods and from default namespace
+Pods that also belong to cluster-example. The matchLabels selector requires
+Pods to have the complete set of listed labels. Missing even one label means
+the Pod will not match.
+ Restricting Access to PostgreSQL with Cilium
+ In this example, we define a CiliumNetworkPolicy that allows only Pods
+labeled role=backend in the default namespace to connect to a PostgreSQL
+cluster named cluster-example. All other ingress traffic is blocked by
+default.
+ apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: postgres-access-backend-label
+ namespace: default
+spec:
+ description: "Allow PostgreSQL access on port 5432 from Pods with role=backend"
+ endpointSelector:
+ matchLabels:
+ cnpg.io/cluster: cluster-example
+ ingress:
+ - fromEndpoints:
+ - matchLabels:
+ role: backend
+ toPorts:
+ - ports:
+ - port: "5432"
+ protocol: TCP
+
+ This CiliumNetworkPolicy ensures that only Pods labeled with role=backend
+can access the PostgreSQL instance managed by CloudNativePG via port 5432 in
+the default namespace.
+ In the following policy, we demonstrate how to allow ingress traffic to port
+5432 of a PostgreSQL cluster named cluster-example, only from Pods with the
+label role=backend in any namespace.
+ apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: postgres-access-backend-any-ns
+ namespace: default
+spec:
+ description: "Allow PostgreSQL access on port 5432 from Pods with role=backend in any namespace"
+ endpointSelector:
+ matchLabels:
+ cnpg.io/cluster: cluster-example
+ ingress:
+ - fromEndpoints:
+ - labelSelector:
+ matchLabels:
+ role: backend
+ matchExpressions:
+ - key: io.kubernetes.pod.namespace
+ operator: Exists
+ toPorts:
+ - ports:
+ - port: "5432"
+ protocol: TCP
+
+ The following example allows ingress traffic to port 5432 of the
+cluster-example cluster (located in the default namespace) from any Pods in
+the backend namespace.
+ apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: postgres-access-backend-namespace
+ namespace: default
+spec:
+ description: "Allow PostgreSQL access on port 5432 from any Pods in the backend namespace"
+ endpointSelector:
+ matchLabels:
+ cnpg.io/cluster: cluster-example
+ ingress:
+ - fromEndpoints:
+ - matchLabels:
+ io.kubernetes.pod.namespace: backend
+ toPorts:
+ - ports:
+ - port: "5432"
+ protocol: TCP
+
+ Using Cilium’s L3/L4 policy model, we define a CiliumNetworkPolicy that
+explicitly allows ingress traffic to cluster Pods only from application Pods in
+the backend namespace. All other traffic is implicitly denied unless
+explicitly permitted by additional policies.
+ The following example allows ingress traffic to port 5432 of the
+cluster-example cluster (located in the default namespace) from any source
+within the Kubernetes cluster.
+ apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+ name: postgres-access-cluster-wide
+ namespace: default
+spec:
+ description: "Allow ingress traffic to port 5432 of the cluster-example from any pods within the Kubernetes cluster"
+ endpointSelector:
+ matchLabels:
+ cnpg.io/cluster: cluster-example
+ ingress:
+ - fromEntities:
+ - cluster
+ toPorts:
+ - ports:
+ - port: "5432"
+ protocol: TCP
+
+ You may consider using editor.networkpolicy.io,
+a visual and interactive tool that simplifies the creation and validation of
+Cilium Network Policies. It’s especially helpful for avoiding misconfigurations
+and understanding traffic rules more clearly by presenting in a visual way.
+ With these policies, you've established baseline access controls for
+PostgreSQL. You can layer additional egress or audit rules using Cilium's
+policy language or extend to L7 enforcement with Envoy.
+
+
+
+
+
+
+
+
+ Cilium
+
Appendixes
@@ -561,7 +563,7 @@ Verifying the Configuration
|