From c714f62a3cb31dc253bb9999d2b5adcc283daef0 Mon Sep 17 00:00:00 2001 From: Jason Boxman Date: Tue, 22 Jun 2021 21:54:18 -0400 Subject: [PATCH] Omit network policy Ingress Controller exception - https://issues.redhat.com/browse/OSDOCS-1811 --- modules/nw-networkpolicy-about.adoc | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/modules/nw-networkpolicy-about.adoc b/modules/nw-networkpolicy-about.adoc index 7fe1004297..f25c370129 100644 --- a/modules/nw-networkpolicy-about.adoc +++ b/modules/nw-networkpolicy-about.adoc @@ -47,11 +47,6 @@ spec: + To make a project allow only connections from the {product-title} Ingress Controller, add the following `NetworkPolicy` object. + -[IMPORTANT] -==== -For the OVN-Kubernetes network provider plug-in, when the Ingress Controller is configured to use the `HostNetwork` endpoint publishing strategy, there is no supported way to apply network policy so that ingress traffic is allowed and all other traffic is denied. -==== -+ [source,yaml] ---- apiVersion: networking.k8s.io/v1 @@ -68,11 +63,6 @@ spec: policyTypes: - Ingress ---- -+ -If the Ingress Controller is configured with `endpointPublishingStrategy: HostNetwork`, then the Ingress Controller pod runs on the host network. -When running on the host network, the traffic from the Ingress Controller is assigned the `netid:0` Virtual Network ID (VNID). -The `netid` for the namespace that is associated with the Ingress Operator is different, so the `matchLabel` in the `allow-from-openshift-ingress` network policy does not match traffic from the `default` Ingress Controller. -With OpenShift SDN, the `default` namespace is assigned the `netid:0` VNID and you can allow traffic from the `default` Ingress Controller by labeling your `default` namespace with `network.openshift.io/policy-group: ingress`. * Only accept connections from pods within a project: +