Skip to content

Can enable project network isolation for imported clusters#4815

Closed
catherineluse wants to merge 1 commit into
rancher:masterfrom
catherineluse:pni
Closed

Can enable project network isolation for imported clusters#4815
catherineluse wants to merge 1 commit into
rancher:masterfrom
catherineluse:pni

Conversation

@catherineluse
Copy link
Copy Markdown
Contributor

@catherineluse catherineluse commented Feb 24, 2022
edited
Loading

This PR addresses rancher/dashboard#4574 by adding radio buttons to allow enabling project network isolation for imported clusters.

Screen Shot 2022-02-24 at 3 04 05 PM

Currently this input is going to always be displayed because for imported clusters, we don't know if the cluster has a CNI that supports project network isolation. (Ryan Sanna to confirm.)

When PNI is enabled, we show the same warning that is used when the option is enabled for RKE1 clusters:
Screen Shot 2022-02-24 at 2 44 42 PM

Testing

To test this PR,

  1. I imported a K3s cluster (I tested the same steps on both K3s and RKE2 clusters)
  2. In Cluster Management, I went to the imported cluster and clicked Edit Config
  3. Went to Project Network Isolation and clicked Enabled
  4. Clicked Save

Verified that for both K3s and RKE2, enabledNetworkPolicy was set to true in the cluster data in the network request
Screen Shot 2022-02-24 at 5 20 47 PM

Outstanding Questions

Which Kubernetes distro(s) do we want to support? On both K3s and RKE2 clusters, when you save the changes, you get the API error that says it is not a valid option to set enableNetworkPolicy to true:
Screen Shot 2022-02-24 at 5 20 09 PM

Also, Cody noticed that the form for K3s clusters already exposes an option for enabling PNI under advanced options, even though the API throws the above error if you enable it. Should this option be exposed under Advanced Options for both K3s and RKE2? Currently the form for RKE2 doesn't have an advanced options section.

Here are the existing advanced options for imported K3s clusters:
Screen Shot 2022-02-24 at 4 36 31 PM

@catherineluse catherineluse mentioned this pull request Feb 25, 2022
Closed
@nwmac
Copy link
Copy Markdown
Member

nwmac commented Mar 8, 2022

@catherineluse Is this still draft and needed for 2.6.4?

@catherineluse
Copy link
Copy Markdown
Contributor Author

catherineluse commented Mar 8, 2022
edited
Loading

Yes, it's still in draft. I assumed this was one of the RKE2 cluster provisioning features but it's not. Ryan clarified that this change is supposed to affect RKE1, AKS and GKE clusters only, so I'll need to change it to affect those clusters.

Also the K3s has a PNI option but that should actually be removed because the feature is not supported for K3s. I was going to take care of that in the same PR as well.

As to whether the feature is needed for v2.6.4, I would say yes because the backend part is still in the v2.6.4 milestone.

@catherineluse
Copy link
Copy Markdown
Contributor Author

catherineluse commented Dec 12, 2022

Closing as stale

@jzandbergen
Copy link
Copy Markdown

jzandbergen commented Dec 22, 2025

Hi @catherineluse , I am investigating the reason why on RKE2 PNI is not supported by rancher and I stumbled upon this commit. It's unfortunate this PR didn't made the cut.

Are there any fundamental reasons why PNI is not made available on RKE2 (and its brother K3S)?

Thank you.

@gennitdev
Copy link
Copy Markdown

gennitdev commented Dec 22, 2025

I don't work on Rancher anymore. @nwmac please advise

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@catherineluse @nwmac @jzandbergen @gennitdev