|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * microshift_networking/microshift-network-policies.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: CONCEPT |
| 6 | +[id="microshift-nw-network-policy-intro_{context}"] |
| 7 | += How network policy works in {microshift-short} |
| 8 | + |
| 9 | +In a cluster using the default OVN-Kubernetes Container Network Interface (CNI) plugin for {microshift-short}, network isolation is controlled by both firewalld, which is configured on the host, and by `NetworkPolicy` objects created within {microshift-short}. Simultaneous use of firewalld and `NetworkPolicy` is supported. |
| 10 | + |
| 11 | +* Network policies work only within boundaries of OVN-Kubernetes-controlled traffic, so they can apply to every situation except for `hostPort/hostNetwork` enabled pods. |
| 12 | +
|
| 13 | +* Firewalld settings also do not apply to `hostPort/hostNetwork` enabled pods. |
| 14 | +
|
| 15 | +[NOTE] |
| 16 | +==== |
| 17 | +Firewalld rules run before any `NetworkPolicy` is enforced. |
| 18 | +==== |
| 19 | + |
| 20 | +[WARNING] |
| 21 | +==== |
| 22 | +Network policy does not apply to the host network namespace. Pods with host networking enabled are unaffected by network policy rules. However, pods connecting to the host-networked pods might be affected by the network policy rules. |
| 23 | +
|
| 24 | +Network policies cannot block traffic from localhost. |
| 25 | +==== |
| 26 | + |
| 27 | +By default, all pods in a {microshift-short} node are accessible from other pods and network endpoints. To isolate one or more pods in a cluster, you can create `NetworkPolicy` objects to indicate allowed incoming connections. You can create and delete `NetworkPolicy` objects. |
| 28 | + |
| 29 | +If a pod is matched by selectors in one or more `NetworkPolicy` objects, then the pod accepts only connections that are allowed by at least one of those `NetworkPolicy` objects. A pod that is not selected by any `NetworkPolicy` objects is fully accessible. |
| 30 | + |
| 31 | +A network policy applies to only the TCP, UDP, ICMP, and SCTP protocols. Other protocols are not affected. |
| 32 | + |
| 33 | +The following example `NetworkPolicy` objects demonstrate supporting different scenarios: |
| 34 | + |
| 35 | +* Deny all traffic: |
| 36 | ++ |
| 37 | +To make a project deny by default, add a `NetworkPolicy` object that matches all pods but accepts no traffic: |
| 38 | ++ |
| 39 | +[source,yaml] |
| 40 | +---- |
| 41 | +kind: NetworkPolicy |
| 42 | +apiVersion: networking.k8s.io/v1 |
| 43 | +metadata: |
| 44 | + name: deny-by-default |
| 45 | +spec: |
| 46 | + podSelector: {} |
| 47 | + ingress: [] |
| 48 | +---- |
| 49 | +
|
| 50 | +* Allow connections from the default router, which is the ingress in {microshift-short}: |
| 51 | ++ |
| 52 | +To allow connections from the {microshift-short} default router, add the following `NetworkPolicy` object: |
| 53 | ++ |
| 54 | +[source,yaml] |
| 55 | +---- |
| 56 | +apiVersion: networking.k8s.io/v1 |
| 57 | +kind: NetworkPolicy |
| 58 | +metadata: |
| 59 | + name: allow-from-openshift-ingress |
| 60 | +spec: |
| 61 | + ingress: |
| 62 | + - from: |
| 63 | + - namespaceSelector: |
| 64 | + matchLabels: |
| 65 | + ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default |
| 66 | + podSelector: {} |
| 67 | + policyTypes: |
| 68 | + - Ingress |
| 69 | +---- |
| 70 | +
|
| 71 | +* Only accept connections from pods within the same namespace: |
| 72 | ++ |
| 73 | +To make pods accept connections from other pods in the same namespace, but reject all other connections from pods in other namespaces, add the following `NetworkPolicy` object: |
| 74 | ++ |
| 75 | +[source,yaml] |
| 76 | +---- |
| 77 | +kind: NetworkPolicy |
| 78 | +apiVersion: networking.k8s.io/v1 |
| 79 | +metadata: |
| 80 | + name: allow-same-namespace |
| 81 | +spec: |
| 82 | + podSelector: {} |
| 83 | + ingress: |
| 84 | + - from: |
| 85 | + - podSelector: {} |
| 86 | +---- |
| 87 | +
|
| 88 | +* Only allow HTTP and HTTPS traffic based on pod labels: |
| 89 | ++ |
| 90 | +To enable only HTTP and HTTPS access to the pods with a specific label (`role=frontend` in following example), add a `NetworkPolicy` object similar to the following: |
| 91 | ++ |
| 92 | +[source,yaml] |
| 93 | +---- |
| 94 | +kind: NetworkPolicy |
| 95 | +apiVersion: networking.k8s.io/v1 |
| 96 | +metadata: |
| 97 | + name: allow-http-and-https |
| 98 | +spec: |
| 99 | + podSelector: |
| 100 | + matchLabels: |
| 101 | + role: frontend |
| 102 | + ingress: |
| 103 | + - ports: |
| 104 | + - protocol: TCP |
| 105 | + port: 80 |
| 106 | + - protocol: TCP |
| 107 | + port: 443 |
| 108 | +---- |
| 109 | +
|
| 110 | +* Accept connections by using both namespace and pod selectors: |
| 111 | ++ |
| 112 | +To match network traffic by combining namespace and pod selectors, you can use a `NetworkPolicy` object similar to the following: |
| 113 | ++ |
| 114 | +[source,yaml] |
| 115 | +---- |
| 116 | +kind: NetworkPolicy |
| 117 | +apiVersion: networking.k8s.io/v1 |
| 118 | +metadata: |
| 119 | + name: allow-pod-and-namespace-both |
| 120 | +spec: |
| 121 | + podSelector: |
| 122 | + matchLabels: |
| 123 | + name: test-pods |
| 124 | + ingress: |
| 125 | + - from: |
| 126 | + - namespaceSelector: |
| 127 | + matchLabels: |
| 128 | + project: project_name |
| 129 | + podSelector: |
| 130 | + matchLabels: |
| 131 | + name: test-pods |
| 132 | +---- |
| 133 | +
|
| 134 | +`NetworkPolicy` objects are additive, which means you can combine multiple `NetworkPolicy` objects together to satisfy complex network requirements. |
| 135 | + |
| 136 | +For example, for the `NetworkPolicy` objects defined in previous examples, you can define both `allow-same-namespace` and `allow-http-and-https` policies. That configuration allows the pods with the label `role=frontend` to accept any connection allowed by each policy. That is, connections on any port from pods in the same namespace, and connections on ports `80` and `443` from pods in any namespace. |
0 commit comments