openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
e877abf380497ab9fd71e34819e34dac1cd2e849
openshift-docs/modules/nw-networkpolicy-allow-application-all-namespaces.adoc

132 lines
3.5 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * networking/multiple_networks/configuring-multi-network-policy.adoc
// * networking/network_security/network_policy/creating-network-policy.adoc
// * microshift_networking/microshift-creating-network-policy.adoc
:name: network
:role: admin
ifeval::["{context}" == "configuring-multi-network-policy"]
:multi:
:name: multi-network
:role: cluster-admin
endif::[]
:_mod-docs-content-type: PROCEDURE
[id="nw-networkpolicy-allow-traffic-from-all-applications_{context}"]
= Creating a {name} policy allowing traffic to an application from all namespaces
[role="_abstract"]
You can configure a policy that allows traffic from all pods in all namespaces to a particular application.
ifndef::microshift[]
[NOTE]
====
If you log in with a user with the `cluster-admin` role, then you can create a network policy in any namespace in the cluster.
====
endif::microshift[]
.Prerequisites
ifndef::microshift[]
* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
endif::microshift[]
* You installed the {oc-first}.
ifndef::microshift[]
* You logged in to the cluster with a user with `{role}` privileges.
endif::microshift[]
* You are working in the namespace that the {name} policy applies to.
.Procedure
. Create a policy that allows traffic from all pods in all namespaces to a particular application. Save the YAML in the `web-allow-all-namespaces.yaml` file:
+
ifndef::multi[]
[source,yaml]
----
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
spec:
podSelector:
matchLabels:
app: web
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector: {}
----
endif::multi[]
+
where:
+
`app`:: Applies the policy only to `app:web` pods in default namespace.
`namespaceSelector`:: Selects all pods in all namespaces.
+
[NOTE]
====
By default, if you do not specify a `namespaceSelector` parameter in the policy object, no namespaces get selected. This means the policy allows traffic only from the namespace where the network policy deployes.
====
. Apply the policy by entering the following command. Successful output lists the name of the policy object and the `created` status.
+
[source,terminal]
----
$ oc apply -f web-allow-all-namespaces.yaml
----
.Verification
. Start a web service in the `default` namespace by entering the following command:
+
[source,terminal]
----
$ oc run web --namespace=default --image=nginx --labels="app=web" --expose --port=80
----
. Run the following command to deploy an `alpine` image in the `secondary` namespace and to start a shell:
+
[source,terminal]
----
$ oc run test-$RANDOM --namespace=secondary --rm -i -t --image=alpine -- sh
----
. Run the following command in the shell and observe that the service allows the request:
+
[source,terminal]
----
# wget -qO- --timeout=2 http://web.default
----
+
[source,terminal]
----
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
----
ifdef::multi[]
:!multi:
endif::multi[]
:!name:
:!role:
View Git Blame Copy Permalink