mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
104 lines
2.8 KiB
Plaintext
104 lines
2.8 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/multiple_networks/configuring-multi-network-policy.adoc
|
|
// * networking/network_security/network_policy/creating-network-policy.adoc
|
|
|
|
:name: network
|
|
:role: admin
|
|
ifeval::["{context}" == "configuring-multi-network-policy"]
|
|
:multi:
|
|
:name: multi-network
|
|
:role: cluster-admin
|
|
endif::[]
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="nw-networkpolicy-allow-external-clients_{context}"]
|
|
= Creating a {name} policy to allow traffic from external clients
|
|
|
|
[role="_abstract"]
|
|
With the `deny-by-default` policy in place you can proceed to configure a policy that allows traffic from external clients to a pod with the label `app=web`.
|
|
|
|
ifndef::microshift[]
|
|
[NOTE]
|
|
====
|
|
If you log in with a user with the `cluster-admin` role, then you can create a network policy in any namespace in the cluster.
|
|
====
|
|
endif::microshift[]
|
|
ifdef::microshift[]
|
|
[NOTE]
|
|
====
|
|
Firewalled rules run before any `NetworkPolicy` is enforced.
|
|
====
|
|
endif::microshift[]
|
|
|
|
Follow this procedure to configure a policy that allows external service from the public Internet directly or by using a Load Balancer to access the pod. Traffic is only allowed to a pod with the label `app=web`.
|
|
|
|
.Prerequisites
|
|
ifndef::microshift[]
|
|
* Your cluster uses a network plugin that supports `NetworkPolicy` objects, such as the OVN-Kubernetes network plugin, with `mode: NetworkPolicy` set.
|
|
endif::microshift[]
|
|
* You installed the {oc-first}.
|
|
ifndef::microshift[]
|
|
* You logged in to the cluster with a user with `{role}` privileges.
|
|
endif::microshift[]
|
|
* You are working in the namespace that the {name} policy applies to.
|
|
|
|
.Procedure
|
|
|
|
. Create a policy that allows traffic from the public Internet directly or by using a load balancer to access the pod. Save the YAML in the `web-allow-external.yaml` file:
|
|
+
|
|
ifndef::multi[]
|
|
[source,yaml]
|
|
----
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
spec:
|
|
policyTypes:
|
|
- Ingress
|
|
podSelector:
|
|
matchLabels:
|
|
app: web
|
|
ingress:
|
|
- {}
|
|
----
|
|
endif::multi[]
|
|
ifdef::multi[]
|
|
[source,yaml]
|
|
----
|
|
apiVersion: k8s.cni.cncf.io/v1beta1
|
|
kind: MultiNetworkPolicy
|
|
metadata:
|
|
name: web-allow-external
|
|
namespace: default
|
|
annotations:
|
|
k8s.v1.cni.cncf.io/policy-for:<namespace_name>/<network_name>
|
|
spec:
|
|
policyTypes:
|
|
- Ingress
|
|
podSelector:
|
|
matchLabels:
|
|
app: web
|
|
ingress:
|
|
- {}
|
|
----
|
|
endif::multi[]
|
|
|
|
. Apply the policy by entering the following command. Successful output lists the name of the policy object and the `created` status.
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc apply -f web-allow-external.yaml
|
|
----
|
|
+
|
|
ifndef::microshift[]
|
|
This policy allows traffic from all resources, including external traffic as illustrated in the following diagram:
|
|
|
|
image::292_OpenShift_Configuring_multi-network_policy_1122.png[Allow traffic from external clients]
|
|
endif::microshift[]
|
|
|
|
ifdef::multi[]
|
|
:!multi:
|
|
endif::multi[]
|
|
:!name:
|
|
:!role:
|