openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 21:46:22 +01:00
Code Issues Releases Activity

BZ#1927841: host network routers and OVN-K

Browse Source 
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1927841

I believe the whole topic indicates that it is for
OpenShift SDN only, but that is several page-scrolls
above the updated section.

Add an admonition to state as emphatically as possible
that the network policy does not work for OVN-Kubernetes
and add it to the multitenant network policy page too.

Clarification from Andrew: make sure folks see the
consideration for `HostNetwork` endpoint publishing
strategy.
This commit is contained in:
Mike McKiernan
2021-02-19 16:47:26 -05:00
parent f451a4a050
commit 2c69ce4fbb
2 changed files with 14 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
modules/nw-networkpolicy-about.adoc
View File

@@ -11,7 +11,7 @@ In {product-title} {product-version}, OpenShift SDN supports using network polic
[NOTE]
====
IPBlock is supported by network policy with limitations for OpenShift SDN; itsupports IPBlock without except clauses. If you create a policy with an IPBlock section including an except clause, the SDN pods log generates warnings and the entire IPBlock section of that policy is ignored.
IPBlock is supported by network policy with limitations for OpenShift SDN; it supports IPBlock without except clauses. If you create a policy with an IPBlock section that includes an except clause, the SDN pods log warnings and the entire IPBlock section of that policy is ignored.
====
[WARNING]
@@ -42,7 +42,12 @@ spec:
* Only allow connections from the {product-title} Ingress Controller:
+
To make a project allow only connections from the {product-title} Ingress Controller, add the following `NetworkPolicy` object:
To make a project allow only connections from the {product-title} Ingress Controller, add the following `NetworkPolicy` object.
+
[IMPORTANT]
====
For the OVN-Kubernetes network provider plug-in, when the Ingress Controller is configured to use the `HostNetwork` endpoint publishing strategy, there is no supported way to apply network policy so that ingress traffic is allowed and all other traffic is denied.
====
+
[source,yaml]
----
@@ -64,7 +69,7 @@ spec:
If the Ingress Controller is configured with `endpointPublishingStrategy: HostNetwork`, then the Ingress Controller pod runs on the host network.
When running on the host network, the traffic from the Ingress Controller is assigned the `netid:0` Virtual Network ID (VNID).
The `netid` for the namespace that is associated with the Ingress Operator is different, so the `matchLabel` in the `allow-from-openshift-ingress` network policy does not match traffic from the `default` Ingress Controller.
Because the `default` namespace is assigned the `netid:0` VNID, you can allow traffic from the `default` Ingress Controller by labeling your `default` namespace with `network.openshift.io/policy-group: ingress`.
With OpenShift SDN, the `default` namespace is assigned the `netid:0` VNID and you can allow traffic from the `default` Ingress Controller by labeling your `default` namespace with `network.openshift.io/policy-group: ingress`.
* Only accept connections from pods within a project:
+

7
modules/nw-networkpolicy-multitenant-isolation.adoc
View File

@@ -19,7 +19,12 @@ project namespaces.
.Procedure
. Create the following `NetworkPolicy` objects:
.. A policy named `allow-from-openshift-ingress`:
.. A policy named `allow-from-openshift-ingress`.
+
[IMPORTANT]
====
For the OVN-Kubernetes network provider plug-in, when the Ingress Controller is configured to use the `HostNetwork` endpoint publishing strategy, there is no supported way to apply network policy so that ingress traffic is allowed and all other traffic is denied.
====
+
[source,terminal]
----