mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
104 lines
3.0 KiB
Plaintext
104 lines
3.0 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/network_security/network_policy/default-network-policy.adoc
|
|
// * networking/configuring-networkpolicy.adoc
|
|
// * post_installation_configuration/network-configuration.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="nw-networkpolicy-project-defaults_{context}"]
|
|
= Adding network policies to the new project template
|
|
|
|
As a cluster administrator, you can add network policies to the default template for new projects.
|
|
{product-title} will automatically create all the `NetworkPolicy` objects specified in the template in the project.
|
|
|
|
.Prerequisites
|
|
|
|
* Your cluster uses a default container network interface (CNI) network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes.
|
|
* You installed the OpenShift CLI (`oc`).
|
|
* You must log in to the cluster with a user with `cluster-admin` privileges.
|
|
* You must have created a custom default project template for new projects.
|
|
|
|
.Procedure
|
|
|
|
. Edit the default template for a new project by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc edit template <project_template> -n openshift-config
|
|
----
|
|
+
|
|
Replace `<project_template>` with the name of the default template that you configured for your cluster. The default template name is `project-request`.
|
|
|
|
. In the template, add each `NetworkPolicy` object as an element to the `objects` parameter. The `objects` parameter accepts a collection of one or more objects.
|
|
+
|
|
In the following example, the `objects` parameter collection includes several `NetworkPolicy` objects.
|
|
+
|
|
[source,yaml]
|
|
----
|
|
objects:
|
|
- apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-from-same-namespace
|
|
spec:
|
|
podSelector: {}
|
|
ingress:
|
|
- from:
|
|
- podSelector: {}
|
|
- apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-from-openshift-ingress
|
|
spec:
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
policy-group.network.openshift.io/ingress:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-from-kube-apiserver-operator
|
|
spec:
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: openshift-kube-apiserver-operator
|
|
podSelector:
|
|
matchLabels:
|
|
app: kube-apiserver-operator
|
|
policyTypes:
|
|
- Ingress
|
|
...
|
|
----
|
|
|
|
. Optional: Create a new project and confirm the successful creation of your network policy objects.
|
|
|
|
.. Create a new project:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc new-project <project> <1>
|
|
----
|
|
<1> Replace `<project>` with the name for the project you are creating.
|
|
|
|
.. Confirm that the network policy objects in the new project template exist in the new project:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get networkpolicy
|
|
----
|
|
+
|
|
Expected output:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
NAME POD-SELECTOR AGE
|
|
allow-from-openshift-ingress <none> 7s
|
|
allow-from-same-namespace <none> 7s
|
|
----
|