openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
895da41f2c29ad8c83ef263d1c1a514b030bb62f
openshift-docs/modules/nw-networkpolicy-optimize.adoc
JoeAldinger 5bf321b9b5 topics-map-fix: renames nwt security
2024-06-11 20:51:11 +00:00

23 lines
1.5 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * networking/network_security/network_policy/about-network-policy.adoc
[id="nw-networkpolicy-optimize-sdn_{context}"]
= Optimizations for network policy with OpenShift SDN
Use a network policy to isolate pods that are differentiated from one another by labels within a namespace.
It is inefficient to apply `NetworkPolicy` objects to large numbers of individual pods in a single namespace. Pod labels do not exist at the IP address level, so a network policy generates a separate Open vSwitch (OVS) flow rule for every possible link between every pod selected with a `podSelector`.
For example, if the spec `podSelector` and the ingress `podSelector` within a `NetworkPolicy` object each match 200 pods, then 40,000 (200*200) OVS flow rules are generated. This might slow down a node.
When designing your network policy, refer to the following guidelines:
* Reduce the number of OVS flow rules by using namespaces to contain groups of pods that need to be isolated.
+
`NetworkPolicy` objects that select a whole namespace, by using the `namespaceSelector` or an empty `podSelector`, generate only a single OVS flow rule that matches the VXLAN virtual network ID (VNID) of the namespace.
* Keep the pods that do not need to be isolated in their original namespace, and move the pods that require isolation into one or more different namespaces.
* Create additional targeted cross-namespace network policies to allow the specific traffic that you do want to allow from the isolated pods.
View Git Blame Copy Permalink