mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
79 lines
2.9 KiB
Plaintext
79 lines
2.9 KiB
Plaintext
// Module included in the following assemblies:
|
|
|
|
// * networking/network_observability/network-observability-network-policy.adoc
|
|
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="network-observability-network-policy_{context}"]
|
|
= Creating a network policy for network observability
|
|
|
|
If you want to further customize the network policies for the `netobserv` and `netobserv-privileged` namespaces, you must disable the managed installation of the policy from the `FlowCollector` CR, and create your own. You can use the network policy resources that are enabled from the `FlowCollector` CR as a starting point for the procedure that follows:
|
|
|
|
.Example `netobserv` network policy
|
|
[source,yaml]
|
|
----
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
spec:
|
|
ingress:
|
|
- from:
|
|
- podSelector: {}
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: netobserv-privileged
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: openshift-console
|
|
ports:
|
|
- port: 9001
|
|
protocol: TCP
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: openshift-monitoring
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
----
|
|
|
|
.Example `netobserv-privileged` network policy
|
|
[source,yaml]
|
|
----
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: netobserv
|
|
namespace: netobserv-privileged
|
|
spec:
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: openshift-monitoring
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
----
|
|
|
|
.Procedure
|
|
. Navigate to *Networking* -> *NetworkPolicies*.
|
|
. Select the `netobserv` project from the *Project* dropdown menu.
|
|
. Name the policy. For this example, the policy name is `allow-ingress`.
|
|
. Click *Add ingress rule* three times to create three ingress rules.
|
|
. Specify the following in the form:
|
|
.. Make the following specifications for the first *Ingress rule*:
|
|
... From the *Add allowed source* dropdown menu, select *Allow pods from the same namespace*.
|
|
.. Make the following specifications for the second *Ingress rule*:
|
|
... From the *Add allowed source* dropdown menu, select *Allow pods from inside the cluster*.
|
|
... Click *+ Add namespace selector*.
|
|
... Add the label, `kubernetes.io/metadata.name`, and the selector, `openshift-console`.
|
|
.. Make the following specifications for the third *Ingress rule*:
|
|
... From the *Add allowed source* dropdown menu, select *Allow pods from inside the cluster*.
|
|
... Click *+ Add namespace selector*.
|
|
... Add the label, `kubernetes.io/metadata.name`, and the selector, `openshift-monitoring`.
|
|
|
|
.Verification
|
|
. Navigate to *Observe* -> *Network Traffic*.
|
|
. View the *Traffic Flows* tab, or any tab, to verify that the data is displayed.
|
|
. Navigate to *Observe* -> *Dashboards*. In the NetObserv/Health selection, verify that the flows are being ingested and sent to Loki, which is represented in the first graph. |