Policy CLI

Managing policies using the border0 cli

As a Border0 administrator, you can manage policies via the CLI, Portal, or API directly. We can create, edit and delete policies using the border0 CLI. As well as attach and detach them from Sockets. In this section will look at the various CLI options for managing policies.

All policy options can be accessed with the policy command like below:

border0 policy --help
Manage your global Policies

Usage:
  border0 socket policy [command]

Available Commands:
  add         Create a policy
  attach      Attach a policy
  delete      Delete a policy
  detach      Detach a policy
  edit        Edit a policy
  ls          List your Policies
  show        Show a policy

Flags:
  -h, --help   help for policy

Use "border0 socket policy [command] --help" for more information about a command.

Listing

To see all policies use border0 policy ls. This will list all policies in the current organization.
It will also show how many Sockets this policy has been applied to.

$ border0 policy ls
┌────────────┬──────────────────────────────┬───────────┐
│ NAME       │ DESCRIPTION                  │ # SOCKETS │
├────────────┼──────────────────────────────┼───────────┤
│ my-policy  │                              │         0 │
│ my-policy2 │                              │         0 │
│ my-policy3 │                              │         4 │
│ my-policy4 │ just an optional description │         3 │
└────────────┴──────────────────────────────┴───────────┘

Showing a Policy

To see the policy definition use border0 policy show -n my-policy

$ border0 policy show -n my-policy
┌────────────┬─────────────┬───────────┐
│ NAME       │ DESCRIPTION │ # SOCKETS │
├────────────┼─────────────┼───────────┤
│ my-policy  │             │         1 │
└────────────┴─────────────┴───────────┘

Policy Data:

{
  "action": [
         "database",
         "ssh",
         "http"
  ],
  "condition": {
    "when": {
      "after": "2022-10-09T00:00:00Z",
      "time_of_day_after": "00:00 UTC",
      "time_of_day_before": "23:59 UTC"
    },
    "where": {
      "allowed_ip": [
        "0.0.0.0/0",
        "10.0.0.0/8"
      ]
    },
    "who": {
      "domain": [
        "example.com"
      ],
      "email": [
        "[email protected]"
      ]
    }
  },
  "version": "v1"
}

Creating a new policy

An administrator can create new policies using the border0 socket policy add command.
The --name parameter is mandatory. Remember that policy names need to be unique within an organization.

border0 policy add --help
Create a policy

Usage:
  border0 socket policy add [flags]

Flags:
  -d, --description string   Policy Description
  -h, --help                 help for add
  -n, --name string          Policy Name
  -f, --policy-file string   Policy Definition File

You may specify a policy definition json file with the --policy-file parameter. Alternatively, you can call the border0 policy add command without a pointer to a file. In that case, an editor will be opened with a basic policy, which can then be modified to your needs.

The example below shows how to create a policy by calling border0 policy add --name my-policy

19201920

Adding a policy

Deleting a Policy

Policies can be deleted using border0 policy delete

$ border0 policy delete --name my-policy
Policy deleted

Attaching a Policy to a Socket

In order for a policy to be applied, it needs to be attached to one, or more, Sockets. This can be done using the border0 policy attach command. This command expects both a policy name and socket_id as parameters.

$ border0 policy attach --name my-policy2 --socket_id 88189074-3d48-43f9-aa36-2b5931d3b29e
Policy attached to socket

Detaching a Policy from a Socket

To remove a policy from a socket, use the border0 policy detach command. This command expects both a policy name and socket_id as parameters.

$ border0 policy detach --name my-policy2 --socket_id 88189074-3d48-43f9-aa36-2b5931d3b29e
Policy detached from socket

Listing all policies attached to a socket

A Socket may have zero or more policies. As a reminder, policies are evaluated. The applied actions are the cumulative results of all policies that match.
Using border0 socket policy ls, you can easily see what policies are applied to a specific socket. Note that organization-wide policies are automatically applied to all Sockets.

$ border0 socket policy ls --socket_id 88189074-3d48-43f9-aa36-2b5931d3b29e
┌────────────┬─────────────┬───────────┐
│ NAME       │ DESCRIPTION │ # SOCKETS │
├────────────┼─────────────┼───────────┤
│ my-policy2 │             │         1 │
└────────────┴─────────────┴───────────┘

Attaching and Detaching policies to a socket

From this same context, you may also attach a policy to a socket.

$ border0 socket --socket_id 88189074-3d48-43f9-aa36-2b5931d3b29e policy attach --name my-policy3
Policy attached to socket

And to detach the policy use:

$ border0 socket --socket_id 88189074-3d48-43f9-aa36-2b5931d3b29e policy detach --name my-policy3
Policy detached from socket