procedures: Add required netpols in isolated environments (#2669)

* add required netpols in isolated environments * Implement suggestion * correct remark --------- Co-authored-by: Fabian Mueller <[email protected]>
eclipse-che · Dec 27, 2023 · e29d07f · e29d07f
1 parent 13c2753
commit e29d07f
Showing 1 changed file with 60 additions and 0 deletions.
diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc
@@ -44,6 +44,66 @@ spec:
 The default is `{prod-namespace}`.
 <2> The empty `podSelector` selects all Pods in the {orch-namespace}.
 
+* OPTIONAL: In case you applied link:https://docs.openshift.com/container-platform/{ocp4-ver}/networking/network_policy/multitenant-network-policy.html[Configuring multitenant isolation with network policy], you also must apply `allow-from-openshift-apiserver` and `allow-from-workspaces-namespaces` NetworkPolicies to `{prod-namespace}`. 
+The `allow-from-openshift-apiserver` NetworkPolicy allows incoming traffic from `openshift-apiserver` namespace to the `devworkspace-webhook-server` enabling webhooks.
+The `allow-from-workspaces-namespaces` NetworkPolicy allows incoming traffic from each user project to `che-gateway` pod.
++
+.`allow-from-openshift-apiserver.yaml`
+====
+[source,yaml,subs="+quotes,attributes"]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-openshift-apiserver
+  namespace: {prod-namespace}   <1>
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: devworkspace-webhook-server   <2>
+  ingress:
+    - from:
+        - podSelector: {}
+          namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: openshift-apiserver
+  policyTypes:
+    - Ingress
+----
+====
++
+<1> The {prod-short} namespace.
+The default is `{prod-namespace}`.
+<2> The `podSelector` only selects devworkspace-webhook-server pods
++
+.`allow-from-workspaces-namespaces.yaml`
+====
+[source,yaml,subs="+quotes,attributes"]
+----
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-workspaces-namespaces
+  namespace: {prod-namespace}   <1>
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: che-gateway   <2>
+  ingress:
+    - from:
+        - podSelector: {}
+          namespaceSelector:
+            matchLabels:
+              app.kubernetes.io/component: workspaces-namespace
+  policyTypes:
+    - Ingress
+----
+====
++
+<1> The {prod-short} namespace.
+The default is `{prod-namespace}`.
+<2> The `podSelector` only selects che-gateway pods
+
 .Additional resources
 * xref:configuring-namespace-provisioning.adoc[]