mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
OSDOCS-9647: adds network policy intro MicroShift
This commit is contained in:
“Shauna Diaz”
committed by
openshift-cherrypick-robot
openshift-cherrypick-robot
parent
1511c1a179
commit
a446996a49
@@ -402,10 +402,16 @@ Topics:
|
||||
File: microshift-cni
|
||||
- Name: Using networking settings
|
||||
File: microshift-networking-settings
|
||||
- Name: Network policies
|
||||
Dir: microshift-network-policy
|
||||
Topics:
|
||||
- Name: Setting network policies
|
||||
File: microshift-network-policy-index
|
||||
- Name: Firewall configuration
|
||||
File: microshift-firewall
|
||||
- Name: Networking settings for fully disconnected hosts
|
||||
File: microshift-disconnected-network-config
|
||||
|
||||
---
|
||||
Name: Storage
|
||||
Dir: microshift_storage
|
||||
|
||||
1
microshift_networking/microshift-network-policy/_attributes
Symbolic link
1
microshift_networking/microshift-network-policy/_attributes
Symbolic link
@@ -0,0 +1 @@
|
||||
../_attributes
|
||||
1
microshift_networking/microshift-network-policy/images
Symbolic link
1
microshift_networking/microshift-network-policy/images
Symbolic link
@@ -0,0 +1 @@
|
||||
../images
|
||||
@@ -0,0 +1,13 @@
|
||||
:_mod-docs-content-type: ASSEMBLY
|
||||
[id="microshift-network-policies"]
|
||||
= Setting network policies
|
||||
include::_attributes/attributes-microshift.adoc[]
|
||||
:context: microshift-network-policies
|
||||
toc::[]
|
||||
|
||||
Learn how to apply network policies to restrict or allow network traffic to pods in your cluster.
|
||||
|
||||
include::modules/microshift-nw-network-policy-intro.adoc[leveloffset=+1]
|
||||
|
||||
//OCP module, edit with conditionals
|
||||
include::modules/nw-networkpolicy-optimize-ovn.adoc[leveloffset=+1]
|
||||
1
microshift_networking/microshift-network-policy/modules
Symbolic link
1
microshift_networking/microshift-network-policy/modules
Symbolic link
@@ -0,0 +1 @@
|
||||
../modules
|
||||
1
microshift_networking/microshift-network-policy/snippets
Symbolic link
1
microshift_networking/microshift-network-policy/snippets
Symbolic link
@@ -0,0 +1 @@
|
||||
../snippets/
|
||||
136
modules/microshift-nw-network-policy-intro.adoc
Normal file
136
modules/microshift-nw-network-policy-intro.adoc
Normal file
@@ -0,0 +1,136 @@
|
||||
// Module included in the following assemblies:
|
||||
//
|
||||
// * microshift_networking/microshift-network-policies.adoc
|
||||
|
||||
:_mod-docs-content-type: CONCEPT
|
||||
[id="microshift-nw-network-policy-intro_{context}"]
|
||||
= How network policy works in {microshift-short}
|
||||
|
||||
In a cluster using the default OVN-Kubernetes Container Network Interface (CNI) plugin for {microshift-short}, network isolation is controlled by both firewalld, which is configured on the host, and by `NetworkPolicy` objects created within {microshift-short}. Simultaneous use of firewalld and `NetworkPolicy` is supported.
|
||||
|
||||
* Network policies work only within boundaries of OVN-Kubernetes-controlled traffic, so they can apply to every situation except for `hostPort/hostNetwork` enabled pods.
|
||||
|
||||
* Firewalld settings also do not apply to `hostPort/hostNetwork` enabled pods.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
Firewalld rules run before any `NetworkPolicy` is enforced.
|
||||
====
|
||||
|
||||
[WARNING]
|
||||
====
|
||||
Network policy does not apply to the host network namespace. Pods with host networking enabled are unaffected by network policy rules. However, pods connecting to the host-networked pods might be affected by the network policy rules.
|
||||
|
||||
Network policies cannot block traffic from localhost.
|
||||
====
|
||||
|
||||
By default, all pods in a {microshift-short} node are accessible from other pods and network endpoints. To isolate one or more pods in a cluster, you can create `NetworkPolicy` objects to indicate allowed incoming connections. You can create and delete `NetworkPolicy` objects.
|
||||
|
||||
If a pod is matched by selectors in one or more `NetworkPolicy` objects, then the pod accepts only connections that are allowed by at least one of those `NetworkPolicy` objects. A pod that is not selected by any `NetworkPolicy` objects is fully accessible.
|
||||
|
||||
A network policy applies to only the TCP, UDP, ICMP, and SCTP protocols. Other protocols are not affected.
|
||||
|
||||
The following example `NetworkPolicy` objects demonstrate supporting different scenarios:
|
||||
|
||||
* Deny all traffic:
|
||||
+
|
||||
To make a project deny by default, add a `NetworkPolicy` object that matches all pods but accepts no traffic:
|
||||
+
|
||||
[source,yaml]
|
||||
----
|
||||
kind: NetworkPolicy
|
||||
apiVersion: networking.k8s.io/v1
|
||||
metadata:
|
||||
name: deny-by-default
|
||||
spec:
|
||||
podSelector: {}
|
||||
ingress: []
|
||||
----
|
||||
|
||||
* Allow connections from the default router, which is the ingress in {microshift-short}:
|
||||
+
|
||||
To allow connections from the {microshift-short} default router, add the following `NetworkPolicy` object:
|
||||
+
|
||||
[source,yaml]
|
||||
----
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-from-openshift-ingress
|
||||
spec:
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
----
|
||||
|
||||
* Only accept connections from pods within the same namespace:
|
||||
+
|
||||
To make pods accept connections from other pods in the same namespace, but reject all other connections from pods in other namespaces, add the following `NetworkPolicy` object:
|
||||
+
|
||||
[source,yaml]
|
||||
----
|
||||
kind: NetworkPolicy
|
||||
apiVersion: networking.k8s.io/v1
|
||||
metadata:
|
||||
name: allow-same-namespace
|
||||
spec:
|
||||
podSelector: {}
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector: {}
|
||||
----
|
||||
|
||||
* Only allow HTTP and HTTPS traffic based on pod labels:
|
||||
+
|
||||
To enable only HTTP and HTTPS access to the pods with a specific label (`role=frontend` in following example), add a `NetworkPolicy` object similar to the following:
|
||||
+
|
||||
[source,yaml]
|
||||
----
|
||||
kind: NetworkPolicy
|
||||
apiVersion: networking.k8s.io/v1
|
||||
metadata:
|
||||
name: allow-http-and-https
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
role: frontend
|
||||
ingress:
|
||||
- ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
- protocol: TCP
|
||||
port: 443
|
||||
----
|
||||
|
||||
* Accept connections by using both namespace and pod selectors:
|
||||
+
|
||||
To match network traffic by combining namespace and pod selectors, you can use a `NetworkPolicy` object similar to the following:
|
||||
+
|
||||
[source,yaml]
|
||||
----
|
||||
kind: NetworkPolicy
|
||||
apiVersion: networking.k8s.io/v1
|
||||
metadata:
|
||||
name: allow-pod-and-namespace-both
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
name: test-pods
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
project: project_name
|
||||
podSelector:
|
||||
matchLabels:
|
||||
name: test-pods
|
||||
----
|
||||
|
||||
`NetworkPolicy` objects are additive, which means you can combine multiple `NetworkPolicy` objects together to satisfy complex network requirements.
|
||||
|
||||
For example, for the `NetworkPolicy` objects defined in previous examples, you can define both `allow-same-namespace` and `allow-http-and-https` policies. That configuration allows the pods with the label `role=frontend` to accept any connection allowed by each policy. That is, connections on any port from pods in the same namespace, and connections on ports `80` and `443` from pods in any namespace.
|
||||
Reference in New Issue
Block a user