From a446996a49ab95ce973ad20aa2ed422fcf7d8d89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CShauna=20Diaz=E2=80=9D?= Date: Tue, 13 Feb 2024 14:05:13 -0500 Subject: [PATCH] OSDOCS-9647: adds network policy intro MicroShift --- _topic_maps/_topic_map_ms.yml | 6 + .../microshift-network-policy/_attributes | 1 + .../microshift-network-policy/images | 1 + .../microshift-network-policy-index.adoc | 13 ++ .../microshift-network-policy/modules | 1 + .../microshift-network-policy/snippets | 1 + .../microshift-nw-network-policy-intro.adoc | 136 ++++++++++++++++++ 7 files changed, 159 insertions(+) create mode 120000 microshift_networking/microshift-network-policy/_attributes create mode 120000 microshift_networking/microshift-network-policy/images create mode 100644 microshift_networking/microshift-network-policy/microshift-network-policy-index.adoc create mode 120000 microshift_networking/microshift-network-policy/modules create mode 120000 microshift_networking/microshift-network-policy/snippets create mode 100644 modules/microshift-nw-network-policy-intro.adoc diff --git a/_topic_maps/_topic_map_ms.yml b/_topic_maps/_topic_map_ms.yml index 57aae580f8..9af0d21b35 100644 --- a/_topic_maps/_topic_map_ms.yml +++ b/_topic_maps/_topic_map_ms.yml @@ -402,10 +402,16 @@ Topics: File: microshift-cni - Name: Using networking settings File: microshift-networking-settings +- Name: Network policies + Dir: microshift-network-policy + Topics: + - Name: Setting network policies + File: microshift-network-policy-index - Name: Firewall configuration File: microshift-firewall - Name: Networking settings for fully disconnected hosts File: microshift-disconnected-network-config + --- Name: Storage Dir: microshift_storage diff --git a/microshift_networking/microshift-network-policy/_attributes b/microshift_networking/microshift-network-policy/_attributes new file mode 120000 index 0000000000..93957f0227 --- /dev/null +++ b/microshift_networking/microshift-network-policy/_attributes @@ -0,0 +1 @@ +../_attributes \ No newline at end of file diff --git a/microshift_networking/microshift-network-policy/images b/microshift_networking/microshift-network-policy/images new file mode 120000 index 0000000000..5e67573196 --- /dev/null +++ b/microshift_networking/microshift-network-policy/images @@ -0,0 +1 @@ +../images \ No newline at end of file diff --git a/microshift_networking/microshift-network-policy/microshift-network-policy-index.adoc b/microshift_networking/microshift-network-policy/microshift-network-policy-index.adoc new file mode 100644 index 0000000000..559cd94d3a --- /dev/null +++ b/microshift_networking/microshift-network-policy/microshift-network-policy-index.adoc @@ -0,0 +1,13 @@ +:_mod-docs-content-type: ASSEMBLY +[id="microshift-network-policies"] += Setting network policies +include::_attributes/attributes-microshift.adoc[] +:context: microshift-network-policies +toc::[] + +Learn how to apply network policies to restrict or allow network traffic to pods in your cluster. + +include::modules/microshift-nw-network-policy-intro.adoc[leveloffset=+1] + +//OCP module, edit with conditionals +include::modules/nw-networkpolicy-optimize-ovn.adoc[leveloffset=+1] diff --git a/microshift_networking/microshift-network-policy/modules b/microshift_networking/microshift-network-policy/modules new file mode 120000 index 0000000000..464b823aca --- /dev/null +++ b/microshift_networking/microshift-network-policy/modules @@ -0,0 +1 @@ +../modules \ No newline at end of file diff --git a/microshift_networking/microshift-network-policy/snippets b/microshift_networking/microshift-network-policy/snippets new file mode 120000 index 0000000000..9d58b92e50 --- /dev/null +++ b/microshift_networking/microshift-network-policy/snippets @@ -0,0 +1 @@ +../snippets/ \ No newline at end of file diff --git a/modules/microshift-nw-network-policy-intro.adoc b/modules/microshift-nw-network-policy-intro.adoc new file mode 100644 index 0000000000..fd014723c3 --- /dev/null +++ b/modules/microshift-nw-network-policy-intro.adoc @@ -0,0 +1,136 @@ +// Module included in the following assemblies: +// +// * microshift_networking/microshift-network-policies.adoc + +:_mod-docs-content-type: CONCEPT +[id="microshift-nw-network-policy-intro_{context}"] += How network policy works in {microshift-short} + +In a cluster using the default OVN-Kubernetes Container Network Interface (CNI) plugin for {microshift-short}, network isolation is controlled by both firewalld, which is configured on the host, and by `NetworkPolicy` objects created within {microshift-short}. Simultaneous use of firewalld and `NetworkPolicy` is supported. + +* Network policies work only within boundaries of OVN-Kubernetes-controlled traffic, so they can apply to every situation except for `hostPort/hostNetwork` enabled pods. + +* Firewalld settings also do not apply to `hostPort/hostNetwork` enabled pods. + +[NOTE] +==== +Firewalld rules run before any `NetworkPolicy` is enforced. +==== + +[WARNING] +==== +Network policy does not apply to the host network namespace. Pods with host networking enabled are unaffected by network policy rules. However, pods connecting to the host-networked pods might be affected by the network policy rules. + +Network policies cannot block traffic from localhost. +==== + +By default, all pods in a {microshift-short} node are accessible from other pods and network endpoints. To isolate one or more pods in a cluster, you can create `NetworkPolicy` objects to indicate allowed incoming connections. You can create and delete `NetworkPolicy` objects. + +If a pod is matched by selectors in one or more `NetworkPolicy` objects, then the pod accepts only connections that are allowed by at least one of those `NetworkPolicy` objects. A pod that is not selected by any `NetworkPolicy` objects is fully accessible. + +A network policy applies to only the TCP, UDP, ICMP, and SCTP protocols. Other protocols are not affected. + +The following example `NetworkPolicy` objects demonstrate supporting different scenarios: + +* Deny all traffic: ++ +To make a project deny by default, add a `NetworkPolicy` object that matches all pods but accepts no traffic: ++ +[source,yaml] +---- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: deny-by-default +spec: + podSelector: {} + ingress: [] +---- + +* Allow connections from the default router, which is the ingress in {microshift-short}: ++ +To allow connections from the {microshift-short} default router, add the following `NetworkPolicy` object: ++ +[source,yaml] +---- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-from-openshift-ingress +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default + podSelector: {} + policyTypes: + - Ingress +---- + +* Only accept connections from pods within the same namespace: ++ +To make pods accept connections from other pods in the same namespace, but reject all other connections from pods in other namespaces, add the following `NetworkPolicy` object: ++ +[source,yaml] +---- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-same-namespace +spec: + podSelector: {} + ingress: + - from: + - podSelector: {} +---- + +* Only allow HTTP and HTTPS traffic based on pod labels: ++ +To enable only HTTP and HTTPS access to the pods with a specific label (`role=frontend` in following example), add a `NetworkPolicy` object similar to the following: ++ +[source,yaml] +---- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-http-and-https +spec: + podSelector: + matchLabels: + role: frontend + ingress: + - ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 443 +---- + +* Accept connections by using both namespace and pod selectors: ++ +To match network traffic by combining namespace and pod selectors, you can use a `NetworkPolicy` object similar to the following: ++ +[source,yaml] +---- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-pod-and-namespace-both +spec: + podSelector: + matchLabels: + name: test-pods + ingress: + - from: + - namespaceSelector: + matchLabels: + project: project_name + podSelector: + matchLabels: + name: test-pods +---- + +`NetworkPolicy` objects are additive, which means you can combine multiple `NetworkPolicy` objects together to satisfy complex network requirements. + +For example, for the `NetworkPolicy` objects defined in previous examples, you can define both `allow-same-namespace` and `allow-http-and-https` policies. That configuration allows the pods with the label `role=frontend` to accept any connection allowed by each policy. That is, connections on any port from pods in the same namespace, and connections on ports `80` and `443` from pods in any namespace.