From e29d07ff9c01dc81d9fd61074dc07a6cb10b3e64 Mon Sep 17 00:00:00 2001 From: muellerfabi Date: Wed, 27 Dec 2023 16:28:19 +0100 Subject: [PATCH] procedures: Add required netpols in isolated environments (#2669) * add required netpols in isolated environments * Implement suggestion * correct remark --------- Co-authored-by: Fabian Mueller --- .../pages/configuring-network-policies.adoc | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc index 2881b87a98..d5e1b45b72 100644 --- a/modules/administration-guide/pages/configuring-network-policies.adoc +++ b/modules/administration-guide/pages/configuring-network-policies.adoc @@ -44,6 +44,66 @@ spec: The default is `{prod-namespace}`. <2> The empty `podSelector` selects all Pods in the {orch-namespace}. +* OPTIONAL: In case you applied link:https://docs.openshift.com/container-platform/{ocp4-ver}/networking/network_policy/multitenant-network-policy.html[Configuring multitenant isolation with network policy], you also must apply `allow-from-openshift-apiserver` and `allow-from-workspaces-namespaces` NetworkPolicies to `{prod-namespace}`. +The `allow-from-openshift-apiserver` NetworkPolicy allows incoming traffic from `openshift-apiserver` namespace to the `devworkspace-webhook-server` enabling webhooks. +The `allow-from-workspaces-namespaces` NetworkPolicy allows incoming traffic from each user project to `che-gateway` pod. ++ +.`allow-from-openshift-apiserver.yaml` +==== +[source,yaml,subs="+quotes,attributes"] +---- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-from-openshift-apiserver + namespace: {prod-namespace} <1> +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: devworkspace-webhook-server <2> + ingress: + - from: + - podSelector: {} + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-apiserver + policyTypes: + - Ingress +---- +==== ++ +<1> The {prod-short} namespace. +The default is `{prod-namespace}`. +<2> The `podSelector` only selects devworkspace-webhook-server pods ++ +.`allow-from-workspaces-namespaces.yaml` +==== +[source,yaml,subs="+quotes,attributes"] +---- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-from-workspaces-namespaces + namespace: {prod-namespace} <1> +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: che-gateway <2> + ingress: + - from: + - podSelector: {} + namespaceSelector: + matchLabels: + app.kubernetes.io/component: workspaces-namespace + policyTypes: + - Ingress +---- +==== ++ +<1> The {prod-short} namespace. +The default is `{prod-namespace}`. +<2> The `podSelector` only selects che-gateway pods + .Additional resources * xref:configuring-namespace-provisioning.adoc[]