mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
38 lines
1.6 KiB
Plaintext
38 lines
1.6 KiB
Plaintext
:_mod-docs-content-type: ASSEMBLY
|
|
[id="cert-manager-nw-policy"]
|
|
= Network policy configuration for cert-manager Operator
|
|
include::_attributes/common-attributes.adoc[]
|
|
:context: cert-manager-nw-policy
|
|
|
|
toc::[]
|
|
|
|
[role="_abstract"]
|
|
The {cert-manager-operator} provides predefined `NetworkPolicy` resources to enhance security by controlling the ingress and egress traffic for its components. By default, this feature is disabled to prevent connectivity issues or breaking changes during an upgrade. To use this feature, you must enable it in the `CertManager` custom resource (CR).
|
|
|
|
After enabling the default policies, you must manually configure additional egress rules to allow outbound traffic. These rules are required for {cert-manager-operator} to communicate with external services beyond the API server and internal DNS.
|
|
|
|
The examples of services that require custom egress rules include the following:
|
|
|
|
* ACME servers, for example, Let's Encrypt
|
|
|
|
* DNS-01 challenge providers, for example, AWS Route53 or Cloudflare
|
|
|
|
* External CAs, such as HashiCorp Vault
|
|
|
|
[NOTE]
|
|
====
|
|
Network policies are expected to be enabled by default in a future release, which could cause connectivity failures during an upgrade. To prepare for this change, configure the required egress policies.
|
|
====
|
|
|
|
// Egress and ingress rules
|
|
include::modules/cert-manager-nw-policy-rules.adoc[leveloffset=+1]
|
|
|
|
//Network policy parameters
|
|
include::modules/cert-manager-nw-policy-params.adoc[leveloffset=+1]
|
|
|
|
//Network policy examples
|
|
include::modules/cert-manager-nw-policy-examples.adoc[leveloffset=+1]
|
|
|
|
//Verification
|
|
include::modules/cert-manager-nw-policy-verify.adoc[leveloffset=+1]
|