mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
183 lines
6.5 KiB
Plaintext
183 lines
6.5 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/network_security/network_policy/about-network-policy.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="nw-networkpolicy-about_{context}"]
|
|
= About network policy
|
|
|
|
By default, all pods in a project are accessible from other pods and network endpoints. To isolate one or more pods in a project, you can create `NetworkPolicy` objects in that project to indicate the allowed incoming connections. Project administrators can create and delete `NetworkPolicy` objects within their own project.
|
|
|
|
If a pod is matched by selectors in one or more `NetworkPolicy` objects, then the pod will accept only connections that are allowed by at least one of those `NetworkPolicy` objects. A pod that is not selected by any `NetworkPolicy` objects is fully accessible.
|
|
|
|
A network policy applies to only the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and Stream Control Transmission Protocol (SCTP) protocols. Other protocols are not affected.
|
|
|
|
[WARNING]
|
|
====
|
|
* A network policy does not apply to the host network namespace. Pods with host networking enabled are unaffected by network policy rules. However, pods connecting to the host-networked pods might be affected by the network policy rules.
|
|
|
|
* Using the `namespaceSelector` field without the `podSelector` field set to `{}` will not include `hostNetwork` pods. You must use the `podSelector` set to `{}` with the `namespaceSelector` field in order to target `hostNetwork` pods when creating network policies.
|
|
|
|
* Network policies cannot block traffic from localhost or from their resident nodes.
|
|
|
|
* When creating a network policy, do not apply the `network.openshift.io/policy-group: ingress` label to custom namespace or projects. This label is Operator-managed and reserved for {product-title} networking functions. It should not be altered on system-created namespaces.
|
|
+
|
|
Using this label can result in intermittent network connectivity drops, unintended application of system `NetworkPolicies` resource, or configuration drift as the operator attempts to reconcile the state. For custom traffic grouping, always use unique, user-defined labels as shown in the following procedure.
|
|
====
|
|
|
|
// TODO OSDOCS-11830 These examples should be broken out into subsections that developers can easily navigate to. The following content makes this module far more reference than concept.
|
|
The following example `NetworkPolicy` objects demonstrate supporting different scenarios:
|
|
|
|
* Deny all traffic:
|
|
+
|
|
To make a project deny by default, add a `NetworkPolicy` object that matches all pods but accepts no traffic:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: deny-by-default
|
|
spec:
|
|
podSelector: {}
|
|
ingress: []
|
|
----
|
|
|
|
* Only allow connections from the {product-title} Ingress Controller:
|
|
+
|
|
To make a project allow only connections from the {product-title} Ingress Controller, add the following `NetworkPolicy` object.
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-from-openshift-ingress
|
|
spec:
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
policy-group.network.openshift.io/ingress: ""
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
----
|
|
|
|
* Only accept connections from pods within a project:
|
|
+
|
|
[IMPORTANT]
|
|
====
|
|
To allow ingress connections from `hostNetwork` pods in the same namespace, you need to apply the `allow-from-hostnetwork` policy together with the `allow-same-namespace` policy.
|
|
====
|
|
+
|
|
To make pods accept connections from other pods in the same project, but reject all other connections from pods in other projects, add the following `NetworkPolicy` object:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: allow-same-namespace
|
|
spec:
|
|
podSelector: {}
|
|
ingress:
|
|
- from:
|
|
- podSelector: {}
|
|
----
|
|
|
|
* Only allow HTTP and HTTPS traffic based on pod labels:
|
|
+
|
|
To enable only HTTP and HTTPS access to the pods with a specific label (`role=frontend` in following example), add a `NetworkPolicy` object similar to the following:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: allow-http-and-https
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
role: frontend
|
|
ingress:
|
|
- ports:
|
|
- protocol: TCP
|
|
port: 80
|
|
- protocol: TCP
|
|
port: 443
|
|
----
|
|
|
|
* Accept connections by using both namespace and pod selectors:
|
|
+
|
|
To match network traffic by combining namespace and pod selectors, you can use a `NetworkPolicy` object similar to the following:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: allow-pod-and-namespace-both
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
name: test-pods
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
project: project_name
|
|
podSelector:
|
|
matchLabels:
|
|
name: test-pods
|
|
----
|
|
|
|
`NetworkPolicy` objects are additive, which means you can combine multiple `NetworkPolicy` objects together to satisfy complex network requirements.
|
|
|
|
For example, for the `NetworkPolicy` objects defined in previous samples, you can define both `allow-same-namespace` and `allow-http-and-https` policies within the same project. Thus allowing the pods with the label `role=frontend`, to accept any connection allowed by each policy. That is, connections on any port from pods in the same namespace, and connections on ports `80` and `443` from pods in any namespace.
|
|
|
|
[id="nw-networkpolicy-allow-from-router_{context}"]
|
|
== Using the allow-from-router network policy
|
|
|
|
Use the following `NetworkPolicy` to allow external traffic regardless of the router configuration:
|
|
|
|
[source,yaml]
|
|
----
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-from-router
|
|
spec:
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
policy-group.network.openshift.io/ingress: ""<1>
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
----
|
|
<1> `policy-group.network.openshift.io/ingress:""` label supports OVN-Kubernetes.
|
|
|
|
[id="nw-networkpolicy-allow-from-hostnetwork_{context}"]
|
|
== Using the allow-from-hostnetwork network policy
|
|
|
|
Add the following `allow-from-hostnetwork` `NetworkPolicy` object to direct traffic from the host network pods.
|
|
|
|
[source,yaml]
|
|
----
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-from-hostnetwork
|
|
spec:
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
policy-group.network.openshift.io/host-network: ""
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
----
|