mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-07 00:48:01 +01:00
161 lines
5.1 KiB
Plaintext
161 lines
5.1 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/network_policy/about-network-policy.adoc
|
|
// * networking/configuring-networkpolicy.adoc
|
|
// * post_installation_configuration/network-configuration.adoc
|
|
|
|
[id="nw-networkpolicy-about_{context}"]
|
|
|
|
= About network policy
|
|
|
|
In a cluster using a Kubernetes Container Network Interface (CNI) plug-in that supports Kubernetes network policy, network isolation is controlled entirely by NetworkPolicy Custom Resource (CR) objects.
|
|
In {product-title} {product-version}, OpenShift SDN supports using NetworkPolicy in its default network isolation mode.
|
|
|
|
[NOTE]
|
|
====
|
|
IPBlock is supported in NetworkPolicy with limitations for OpenShift SDN; it
|
|
supports IPBlock without except clauses. If you create a policy with an IPBlock
|
|
section including an except clause, the SDN pods log generates warnings and the
|
|
entire IPBlock section of that policy is ignored.
|
|
====
|
|
|
|
[WARNING]
|
|
====
|
|
Network policy does not apply to the host network namespace. Pods with host networking enabled are unaffected by NetworkPolicy object rules.
|
|
====
|
|
|
|
By default, all pods in a project are accessible from other pods and network
|
|
endpoints. To isolate one or more pods in a project, you can create
|
|
NetworkPolicy objects in that project to indicate the allowed incoming
|
|
connections. Project administrators can create and delete NetworkPolicy objects
|
|
within their own project.
|
|
|
|
If a pod is matched by selectors in one or more NetworkPolicy objects, then the
|
|
pod will accept only connections that are allowed by at least one of those
|
|
NetworkPolicy objects. A pod that is not selected by any NetworkPolicy objects
|
|
is fully accessible.
|
|
|
|
The following example NetworkPolicy objects demonstrate supporting different
|
|
scenarios:
|
|
|
|
* Deny all traffic:
|
|
+
|
|
To make a project deny by default, add a NetworkPolicy object that matches all
|
|
pods but accepts no traffic:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: deny-by-default
|
|
spec:
|
|
podSelector:
|
|
ingress: []
|
|
----
|
|
|
|
* Only allow connections from the {product-title} Ingress Controller:
|
|
+
|
|
To make a project allow only connections from the {product-title} Ingress
|
|
Controller, add the following NetworkPolicy object:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-from-openshift-ingress
|
|
spec:
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
network.openshift.io/policy-group: ingress
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
----
|
|
|
|
+
|
|
If the Ingress Controller is configured with `endpointPublishingStrategy: HostNetwork`, then the Ingress Controller pod runs on the host network.
|
|
When running on the host network, the traffic from the Ingress Controller is assigned the `netid:0` Virtual Network ID (VNID).
|
|
The `netid` for the namespace that is associated with the Ingress Operator is different, so the `matchLabel` in the `allow-from-openshift-ingress` network policy does not match traffic from the `default` Ingress Controller.
|
|
Because the `default` namespace is assigned the `netid:0` VNID, you can allow traffic from the `default` Ingress Controller by labeling your `default` namespace with `network.openshift.io/policy-group: ingress`.
|
|
|
|
* Only accept connections from pods within a project:
|
|
+
|
|
To make pods accept connections from other pods in the same project, but reject
|
|
all other connections from pods in other projects, add the following
|
|
NetworkPolicy object:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: allow-same-namespace
|
|
spec:
|
|
podSelector:
|
|
ingress:
|
|
- from:
|
|
- podSelector: {}
|
|
----
|
|
|
|
* Only allow HTTP and HTTPS traffic based on pod labels:
|
|
+
|
|
To enable only HTTP and HTTPS access to the pods with a specific label
|
|
(`role=frontend` in following example), add a NetworkPolicy object similar to the following:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: allow-http-and-https
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
role: frontend
|
|
ingress:
|
|
- ports:
|
|
- protocol: TCP
|
|
port: 80
|
|
- protocol: TCP
|
|
port: 443
|
|
----
|
|
|
|
* Accept connections by using both namespace and pod selectors:
|
|
+
|
|
To match network traffic by combining namespace and pod selectors, you can use a NetworkPolicy object similar to the following:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: allow-pod-and-namespace-both
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
name: test-pods
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
project: project_name
|
|
podSelector:
|
|
matchLabels:
|
|
name: test-pods
|
|
----
|
|
|
|
|
|
NetworkPolicy objects are additive, which means you can combine multiple
|
|
NetworkPolicy objects together to satisfy complex network requirements.
|
|
|
|
For example, for the NetworkPolicy objects defined in previous samples, you
|
|
can define both `allow-same-namespace` and `allow-http-and-https` policies
|
|
within the same project. Thus allowing the pods with the label `role=frontend`,
|
|
to accept any connection allowed by each policy. That is, connections on any
|
|
port from pods in the same namespace, and connections on ports `80` and
|
|
`443` from pods in any namespace.
|