openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-06 06:46:26 +01:00
Code Issues Releases Activity

Omit network policy Ingress Controller exception

Browse Source 
- https://issues.redhat.com/browse/OSDOCS-1811
This commit is contained in:
Jason Boxman
2021-06-22 21:54:18 -04:00
committed by openshift-cherrypick-robot
parent ba69a1a2bc
commit c714f62a3c
1 changed files with 0 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
modules/nw-networkpolicy-about.adoc
View File

@@ -47,11 +47,6 @@ spec:
+
To make a project allow only connections from the {product-title} Ingress Controller, add the following `NetworkPolicy` object.
+
[IMPORTANT]
====
For the OVN-Kubernetes network provider plug-in, when the Ingress Controller is configured to use the `HostNetwork` endpoint publishing strategy, there is no supported way to apply network policy so that ingress traffic is allowed and all other traffic is denied.
====
+
[source,yaml]
----
apiVersion: networking.k8s.io/v1
@@ -68,11 +63,6 @@ spec:
policyTypes:
- Ingress
----
+
If the Ingress Controller is configured with `endpointPublishingStrategy: HostNetwork`, then the Ingress Controller pod runs on the host network.
When running on the host network, the traffic from the Ingress Controller is assigned the `netid:0` Virtual Network ID (VNID).
The `netid` for the namespace that is associated with the Ingress Operator is different, so the `matchLabel` in the `allow-from-openshift-ingress` network policy does not match traffic from the `default` Ingress Controller.
With OpenShift SDN, the `default` namespace is assigned the `netid:0` VNID and you can allow traffic from the `default` Ingress Controller by labeling your `default` namespace with `network.openshift.io/policy-group: ingress`.
* Only accept connections from pods within a project:
+