mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
Provide example network policies for the web terminal operator
Signed-off-by: David Kwon <dakwon@redhat.com>
This commit is contained in:
David Kwon
committed by
openshift-cherrypick-robot
openshift-cherrypick-robot
parent
ad98af01d7
commit
c6a43b238f
@@ -23,6 +23,7 @@ The web terminal remains open until you close it or until you close the browser
|
||||
+
|
||||
[NOTE]
|
||||
====
|
||||
* One `DevWorkspace` CR defines the web terminal of one user. This CR contains details about the user's web terminal status and container image components.
|
||||
* The `DevWorkspace` CR is created only if it does not already exist.
|
||||
ifndef::openshift-rosa,openshift-dedicated[]
|
||||
* The `openshift-terminal` project is the default project used for cluster administrators. They do not have the option to choose another project. The {web-terminal-op} installs the DevWorkspace Operator as a dependency.
|
||||
|
||||
@@ -9,6 +9,44 @@ toc::[]
|
||||
[id="troubleshooting-web-terminal-network-policies"]
|
||||
== Web terminal and network policies
|
||||
|
||||
The web terminal might fail to launch if the cluster has network policies configured. To initialize a web terminal instance, the {web-terminal-op} must communicate with the web terminal's pod to verify it is running, and the {product-title} web console needs to send information to automatically log in to the cluster within the terminal. If either step fails, the web terminal fails to initialize and the terminal panel appears to be in a loading state.
|
||||
The web terminal might fail to start if the cluster has network policies configured. To start a web terminal instance, the {web-terminal-op} must communicate with the web terminal's pod to verify it is running, and the {product-title} web console needs to send information to automatically log in to the cluster within the terminal. If either step fails, the web terminal fails to start and the terminal panel is in a loading state until a `context deadline exceeded error` occurs.
|
||||
|
||||
To avoid this issue, ensure that the network policies for namespaces that are used for terminals allow ingress from the `openshift-console` and `openshift-operators` namespaces.
|
||||
To avoid this issue, ensure that the network policies for namespaces that are used for terminals allow ingress from the `openshift-console` and `openshift-operators` namespaces.
|
||||
|
||||
The following samples show `NetworkPolicy` objects for allowing ingress from the `openshift-console` and `openshift-operators` namespaces.
|
||||
|
||||
.Allowing ingress from the `openshift-console` namespace
|
||||
[source,yaml]
|
||||
----
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-from-openshift-console
|
||||
spec:
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: openshift-console
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
----
|
||||
|
||||
.Allowing ingress from the `openshift-operators` namespace
|
||||
[source,yaml]
|
||||
----
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-from-openshift-operators
|
||||
spec:
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: openshift-operators
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
----
|
||||
Reference in New Issue
Block a user