Adds egress netpol docs #92159
Adds egress netpol docs #92159
Conversation
openshift-ci
bot
added
the
size/L
|
🤖 Thu Sep 18 16:15:49 - Prow CI generated the docs preview: |
openshift-ci
bot
added
size/XL
stevsmit
force-pushed
the
OCPBUGS-54674
branch
3 times, most recently
from
b1988cc to
912c8df
Compare
openshift-ci
bot
added
size/XXL
|
The This is because your PR targets the If the update in your PR does NOT apply to version 4.20 onward, please re-target this PR to go directly into the appropriate version branch or branches (enterprise-4.x) instead of main. |
modules/nw-networkpolicy-configuring-ingress-new-deployment.adoc
Outdated
Show resolved
Hide resolved
modules/nw-networkpolicy-configuring-ingress-new-deployment.adoc
Outdated
Show resolved
Hide resolved
modules/nw-networkpolicy-enable-pod-pod-communication-egress.adoc
Outdated
Show resolved
Hide resolved
modules/nw-networkpolicy-enable-pod-pod-communication-egress.adoc
Outdated
Show resolved
Hide resolved
modules/nw-networkpolicy-enable-pod-pod-communication-egress.adoc
Outdated
Show resolved
Hide resolved
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
openshift-ci
bot
removed
the
lifecycle/stale
stevsmit
force-pushed
the
OCPBUGS-54674
branch
from
144fac7 to
a7ea4d5
Compare
|
@stevsmit: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| $ oc apply -f ingress-access.yaml -n project-a | ||
| ---- | ||
|
|
||
| . Apply the network policy to the `project-b` namespace by entering the following command: |
There was a problem hiding this comment.
To simplify the example, please get rid of project-b
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ oc exec -it test-pod-b -n project-b -- ping -c 2 10.132.0.44 |
There was a problem hiding this comment.
| $ oc exec -it test-pod-b -n project-b -- ping -c 2 10.132.0.44 | |
| $ oc exec -it test-pod-a -n project-a -- ping -c 2 10.132.0.38 |
| + | ||
| [source,terminal] | ||
| ---- | ||
| PING 10.132.0.44 (10.132.0.44): 56 data bytes |
There was a problem hiding this comment.
| PING 10.132.0.44 (10.132.0.44): 56 data bytes | |
| PING 10.132.0.38 (10.132.0.38): 56 data bytes |
| [source,terminal] | ||
| ---- | ||
| PING 10.132.0.44 (10.132.0.44): 56 data bytes | ||
| 64 bytes from 10.132.0.44: seq=0 ttl=42 time=1.137 ms |
There was a problem hiding this comment.
| 64 bytes from 10.132.0.44: seq=0 ttl=42 time=1.137 ms | |
| 64 bytes from 10.132.0.38: seq=0 ttl=42 time=1.137 ms |
| ---- | ||
| PING 10.132.0.44 (10.132.0.44): 56 data bytes | ||
| 64 bytes from 10.132.0.44: seq=0 ttl=42 time=1.137 ms | ||
| 64 bytes from 10.132.0.44: seq=1 ttl=42 time=0.672 ms |
There was a problem hiding this comment.
| 64 bytes from 10.132.0.44: seq=1 ttl=42 time=0.672 ms | |
| 64 bytes from 10.132.0.38: seq=1 ttl=42 time=0.672 ms |
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ oc new-project project-c |
There was a problem hiding this comment.
| $ oc new-project project-c | |
| oc new-project project-c |
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ cat <<EOF | oc apply -f - -n project-c |
There was a problem hiding this comment.
| $ cat <<EOF | oc apply -f - -n project-c | |
| cat <<EOF | oc apply -f - -n project-c |
| + | ||
| [source,yaml] | ||
| ---- | ||
| apiVersion: networking.k8s.io/v1 |
There was a problem hiding this comment.
I believe this one should be
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-to-new
spec:
podSelector:
matchLabels:
networking/allow-all-connections: "true"
policyTypes:
- Ingress
ingress:
- from:
- podSelector: {}
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ oc apply -f allow-n1-a-to-n2-b.yaml -n project-b |
There was a problem hiding this comment.
| $ oc apply -f allow-n1-a-to-n2-b.yaml -n project-b | |
| oc apply -f allow-n1-a-to-n2-b.yaml -n project-b |
|
|
||
| .Procedure | ||
|
|
||
| . Create the following YAML that defines a `default-deny-all-egress` network policy to deny egress for all pods in the namespace. Save the YAML in the `default-deny-all-egress.yaml` file: |
| + | ||
| [source,yaml] | ||
| ---- | ||
| apiVersion: networking.k8s.io/v1 |
There was a problem hiding this comment.
Policy YAML that works
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-to-openshift-dns
spec:
egress:
- ports:
- port: 5353
protocol: TCP
- port: 5353
protocol: UDP
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
podSelector: {}
policyTypes:
- Egress
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ oc apply -f default-deny-all-egress.yaml -n project-a |
There was a problem hiding this comment.
| $ oc apply -f default-deny-all-egress.yaml -n project-a | |
| $ oc apply -f allow-egress-to-openshift-dns -n project-a |
| policyTypes: | ||
| - Egress | ||
| ---- | ||
| <1> Allows connections to port `53` on any IP to facilitate DNS lookups. |
There was a problem hiding this comment.
| <1> Allows connections to port `53` on any IP to facilitate DNS lookups. | |
| <1> Allows connections to port `5353` on any IP to facilitate DNS lookups. |
| * You have created pods in your cluster. | ||
|
|
||
| .Procedure | ||
|
|
There was a problem hiding this comment.
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny-all-egress
spec:
podSelector: {}
policyTypes:
- Egress
| + | ||
| [IMPORTANT] | ||
| ==== | ||
| Do not apply this network policy to the `kube-system` namespace, as it can break cluster functionality. |
There was a problem hiding this comment.
| Do not apply this network policy to the `kube-system` namespace, as it can break cluster functionality. | |
| Do not apply default-deny-all-egress network policy to the `kube-system` namespace, as it can break cluster functionality. |
| $ oc apply -f default-deny-all-egress.yaml -n project-b | ||
| ---- | ||
| + | ||
| With the application of the `default-deny-all-egress` network policy, pods in those namespaces cannot receive external traffic. |
There was a problem hiding this comment.
| With the application of the `default-deny-all-egress` network policy, pods in those namespaces cannot receive external traffic. | |
| With the application of the `default-deny-all-egress` network policy, pods in those namespaces cannot send external traffic. |
| ;; connection timed out; no servers could be reached | ||
| ---- | ||
|
|
||
| . Test ingress connection between pods in the `project-a` and `project-b` namespaces by entering the following command. Because the `default-deny-all-egress` network policy breaks pod-to-pod communication for egress, pods should not longer be able to communicate. |
There was a problem hiding this comment.
| . Test ingress connection between pods in the `project-a` and `project-b` namespaces by entering the following command. Because the `default-deny-all-egress` network policy breaks pod-to-pod communication for egress, pods should not longer be able to communicate. | |
| . Test egress connection between pods in the `project-a` and `project-b` namespaces by entering the following command. Because the `default-deny-all-egress` network policy breaks pod-to-pod communication for egress, pods should not longer be able to communicate. |
|
The This is because your PR targets the If the update in your PR does NOT apply to version 4.21 onward, please re-target this PR to go directly into the appropriate version branch or branches (enterprise-4.x) instead of main. |
6 participants
Version(s):
Issue:
https://issues.redhat.com/browse/OCPBUGS-54674
Link to docs preview:
https://92159--ocpdocs-pr.netlify.app/openshift-enterprise/latest/networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation
QE review:
Additional information: