Doc : explain network policies needed

[tpoindessous]

Is your feature request related to a problem? Please describe.
Hi

we are installing httpcache on GKE, but we have network policies. We are debugging to find what are the requirements.

Describe the solution you'd like
We would like to have a documentation for network policies 😄

Describe alternatives you've considered
When we finish our installation, we will publish a PR for this documentation.

Additional context
Thanks for your work !

[martin-helmich]

Sorry that this has been laying around for a while. Hope my answer is still useful. This is not a documentation per se (PRs to make it fancy and add it to the README are welcome -- at least, until I get around to it myself), but here goes (note, this is from memory and may be not entirely complete):

You'll need network policies that allow...

1. kube-httpcache to connect to the Pods selected by your backend service (whichever port your HTTP workload runs on)
2. your ingress controller to connect to kube-httpcache on its HTTP port (usually 8080)

Additionally, when using a HA setup with the signaller component, you'll also need policies that allow...

4. kube-httpcache to connect to other kube-httpcache Pods on its signaller port (usually 8090)
5. your ingress controller to connect to kube-httpcache on its signaller port, IF you need to trigger purge requests from somewhere external to your cluster
6. your backend service to connect to kube-httpcache on its signaller port, IF the workload should trigger purge requests on its own

Additionally, when using a sharded, self-routing setup, you'll also need policies that allow...

7. kube-httpcache to connect to other kube-httpcache Pods on its HTTP port (usually 8080)