openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
b4623ecb5d2bd85563c440057bf192088c1e2c64
openshift-docs/modules/nw-networkpolicy-create-cli.adoc

240 lines
5.7 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * networking/multiple_networks/configuring-multi-network-policy.adoc
// * networking/network_security/network_policy/creating-network-policy.adoc
// * post_installation_configuration/network-configuration.adoc
// * microshift_networking/microshift-creating-network-policy.adoc
:name: network
:role: admin
ifeval::["{context}" == "configuring-multi-network-policy"]
:multi:
:name: multi-network
:role: cluster-admin
endif::[]
:_mod-docs-content-type: PROCEDURE
[id="nw-networkpolicy-create-cli_{context}"]
= Creating a {name} policy using the CLI
To define granular rules describing ingress or egress network traffic allowed for namespaces in your cluster, you can create a {name} policy.
ifndef::multi,microshift[]
[NOTE]
====
If you log in with a user with the `cluster-admin` role, then you can create a network policy in any namespace in the cluster.
====
endif::multi,microshift[]
.Prerequisites
ifndef::microshift[]
* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
endif::microshift[]
* You installed the OpenShift CLI (`oc`).
ifndef::microshift[]
* You logged in to the cluster with a user with `{role}` privileges.
endif::microshift[]
* You are working in the namespace that the {name} policy applies to.
.Procedure
. Create a policy rule:
.. Create a `<policy_name>.yaml` file:
+
[source,terminal]
----
$ touch <policy_name>.yaml
----
+
--
where:
`<policy_name>`:: Specifies the {name} policy file name.
--
.. Define a {name} policy in the file that you just created, such as in the following examples:
+
.Deny ingress from all pods in all namespaces
This is a fundamental policy, blocking all cross-pod networking other than cross-pod traffic allowed by the configuration of other Network Policies.
+
[source,yaml]
----
ifndef::multi[]
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
endif::multi[]
ifdef::multi[]
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
endif::multi[]
metadata:
name: deny-by-default
ifdef::multi[]
annotations:
k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
endif::multi[]
spec:
podSelector: {}
policyTypes:
- Ingress
ingress: []
----
+
ifdef::multi[]
--
where:
`<network_name>`:: Specifies the name of a network attachment definition.
--
endif::multi[]
+
.Allow ingress from all pods in the same namespace
+
[source,yaml]
----
ifndef::multi[]
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
endif::multi[]
ifdef::multi[]
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
endif::multi[]
metadata:
name: allow-same-namespace
ifdef::multi[]
annotations:
k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
endif::multi[]
spec:
podSelector:
ingress:
- from:
- podSelector: {}
----
ifdef::multi[]
+
--
where:
`<network_name>`:: Specifies the name of a network attachment definition.
--
endif::multi[]
+
.Allow ingress traffic to one pod from a particular namespace
+
This policy allows traffic to pods that have the `pod-a` label from pods running in `namespace-y`.
+
[source,yaml]
----
ifndef::multi[]
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
endif::multi[]
ifdef::multi[]
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
endif::multi[]
metadata:
name: allow-traffic-pod
ifdef::multi[]
annotations:
k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
endif::multi[]
spec:
podSelector:
matchLabels:
pod: pod-a
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: namespace-y
----
ifdef::multi[]
+
--
where:
`<network_name>`:: Specifies the name of a network attachment definition.
--
endif::multi[]
+
ifdef::multi[]
.Restrict traffic to a service
+
This policy when applied ensures every pod with both labels `app=bookstore` and `role=api` can only be accessed by pods with label `app=bookstore`. In this example the application could be a REST API server, marked with labels `app=bookstore` and `role=api`.
+
This example addresses the following use cases:
* Restricting the traffic to a service to only the other microservices that need to use it.
* Restricting the connections to a database to only permit the application using it.
+
[source,yaml]
----
ifndef::multi[]
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
endif::multi[]
ifdef::multi[]
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
endif::multi[]
metadata:
name: api-allow
ifdef::multi[]
annotations:
k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
endif::multi[]
spec:
podSelector:
matchLabels:
app: bookstore
role: api
ingress:
- from:
- podSelector:
matchLabels:
app: bookstore
----
ifdef::multi[]
+
--
where:
`<network_name>`:: Specifies the name of a network attachment definition.
--
endif::multi[]
endif::multi[]
. To create the {name} policy object, enter the following command. Successful output lists the name of the policy object and the `created` status.
+
[source,terminal]
----
$ oc apply -f <policy_name>.yaml -n <namespace>
----
+
--
where:
`<policy_name>`:: Specifies the {name} policy file name.
`<namespace>`:: Optional parameter. If you defined the object in a different namespace than the current namespace, the parameter specifices the namespace.
--
+
Successful output lists the name of the policy object and the `created` status.
ifndef::microshift[]
[NOTE]
====
If you log in to the web console with `cluster-admin` privileges, you have a choice of creating a network policy in any namespace in the cluster directly in YAML or from a form in the web console.
====
endif::microshift[]
ifdef::multi[]
:!multi:
endif::multi[]
:!name:
:!role:
View Git Blame Copy Permalink