Skip to content

Commit 0c57003

Browse files
author
Steven Smith
committed
Adds egress netpol docs
1 parent 1de0f04 commit 0c57003

14 files changed

+690
-0
lines changed

_topic_maps/_topic_map.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1479,6 +1479,8 @@ Topics:
14791479
File: default-network-policy
14801480
- Name: Configuring multitenant isolation with network policy
14811481
File: multitenant-network-policy
1482+
- Name: Configuring full multitenant isolation with network policy using ingress and egress
1483+
File: nw-networkpolicy-full-multitenant-isolation
14821484
- Name: Audit logging for network security
14831485
File: logging-network-security
14841486
- Name: Egress Firewall
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
4+
5+
:_mod-docs-content-type: PROCEDURE
6+
[id="nw-networkpolicy-allow-internet_{context}"]
7+
= Creating an allow internet access network policy
8+
9+
With the `deny-by-default` network policy in place, no pods can talk to each other or receive traffic from the internet. As a result, you should allow some pods to receive traffic from outside sources. To do this, you can create designated labels that are applied to the pods that you want to allow access from the internet, and then create network policies that target those labels.
10+
11+
The following procedure shows you how to create an internet access network policy that uses the `networking/allow-internet-access=true` label so that labeled pods receive traffic from outside sources.
12+
13+
.Prerequisites
14+
15+
* You have created the `deny-by-default` network policy and applied it to the necessary namespaces.
16+
17+
.Procedure
18+
19+
. Create the following `internet-access` network policy to allow pods with the `networking/allow-internet-access` label to receive traffic from outside sources. Save the YAML in the `internet-access.yaml` file:
20+
+
21+
[source,yaml]
22+
----
23+
apiVersion: networking.k8s.io/v1
24+
kind: NetworkPolicy
25+
metadata:
26+
name: internet-access
27+
spec:
28+
podSelector:
29+
matchLabels:
30+
networking/allow-internet-access: "true" <1>
31+
policyTypes:
32+
- Ingress
33+
ingress:
34+
- {}
35+
----
36+
<1> Apply this label to pods to enable the pod to receive traffic from outside sources.
37+
38+
. Apply the network policy by entering the following command:
39+
+
40+
[source,terminal]
41+
----
42+
$ oc apply -f internet-access.yaml -n <namespace>
43+
----
44+
+
45+
.Example output
46+
+
47+
[source,terminal]
48+
----
49+
networkpolicy.networking.k8s.io/internet-access created
50+
----
51+
52+
. Repeat step two for all necessary namespaces.
Lines changed: 177 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,177 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
4+
5+
:_mod-docs-content-type: REFERENCE
6+
[id="nw-networkpolicy-ingress-new-deployments_{context}"]
7+
= Creating a network policy for new projects
8+
9+
After you have created a network policy that defines specific connections, new projects are unable to communicate to existing projects by default until the proper network policies are applied. To address this behavior, you can create the following `allow-ingress-from-new` and `allow-ingress-to-new` network policies in the projects that you want to allow communication. For example, if you adding a third project to you cluster (`project-c`), you can add these network policies to the `project-a` and `project-c` namespaces, which allows pods with the `networking/allow-all-connections=true` label to communicate with each other.
10+
11+
The `allow-ingress-from-new` and `allow-ingress-to-new` network policies act as a stop-gap to allow pods labeled with `networking/allow-all-connections=true` the ability to communicate until more granular policies are created.
12+
13+
.Prerequisites
14+
15+
* You have created the `deny-by-default` network policy and applied it to a project.
16+
* You have created an `internet-access` network policy and applied it to a project.
17+
18+
.Procedure
19+
20+
. Create a new project, for example, `project-c`, by running the following command:
21+
+
22+
[source,terminal]
23+
----
24+
$ oc new-project project-c
25+
----
26+
27+
. In the `project-c` namespace, create a new pod by running the following command:
28+
+
29+
[source,terminal]
30+
----
31+
$ cat <<EOF | oc apply -f - -n project-c
32+
apiVersion: v1
33+
kind: Pod
34+
metadata:
35+
name: busybox-pod
36+
labels:
37+
app: busybox
38+
spec:
39+
containers:
40+
- name: busybox
41+
image: alpine:latest # Switch to alpine, which includes curl
42+
command: [ "sleep", "3600" ]
43+
securityContext:
44+
runAsNonRoot: true # Ensure non-root user
45+
allowPrivilegeEscalation: false
46+
capabilities:
47+
drop:
48+
- "ALL"
49+
seccompProfile:
50+
type: "RuntimeDefault"
51+
EOF
52+
----
53+
54+
. In the `project-a` namespace:
55+
56+
.. Create the following `allow-ingress-from-new` network policy, which allows pods in this project the ability to receive ingress from a new project:
57+
+
58+
[source,yaml]
59+
----
60+
apiVersion: networking.k8s.io/v1
61+
kind: NetworkPolicy
62+
metadata:
63+
name: allow-ingress-from-new
64+
spec:
65+
podSelector: {}
66+
policyTypes:
67+
- Ingress
68+
ingress:
69+
- from:
70+
- podSelector:
71+
matchLabels:
72+
networking/allow-all-connections: "true"
73+
----
74+
75+
.. Apply the network policy by entering the following command:
76+
+
77+
[source,terminal]
78+
----
79+
$ oc apply -f allow-ingress-from-new.yaml -n <project_a>
80+
----
81+
82+
.. Create the following `allow-ingress-to-new` network policy, which allows pods in this project the ability to send ingress to a new project:
83+
+
84+
[source,yaml]
85+
----
86+
apiVersion: networking.k8s.io/v1
87+
kind: NetworkPolicy
88+
metadata:
89+
name: allow-ingress-to-new
90+
spec:
91+
podSelector:
92+
matchLabels:
93+
networking/allow-all-connections: "true"
94+
policyTypes:
95+
- Ingress
96+
ingress:
97+
- from:
98+
- podSelector: {}
99+
----
100+
101+
.. Apply the network policy by entering the following command:
102+
+
103+
[source,terminal]
104+
----
105+
$ oc apply -f allow-ingress-tp-new.yaml -n <project_a>
106+
----
107+
108+
.. Apply the `networking/allow-all-connections=true` to pods in `project-a` that you want to be able to communicate with pods in `project-c` by running the following command:
109+
+
110+
[source,terminal]
111+
----
112+
$ oc label pod <pod_name> networking/allow-all-connections=true -n <project_a>
113+
----
114+
115+
. In the `project-c` namespace:
116+
117+
.. Create the following `allow-ingress-from-new` network policy, which allows pods in this project the ability to receive ingress from a new project:
118+
+
119+
[source,yaml]
120+
----
121+
apiVersion: networking.k8s.io/v1
122+
kind: NetworkPolicy
123+
metadata:
124+
name: allow-ingress-from-new
125+
spec:
126+
podSelector: {}
127+
policyTypes:
128+
- Ingress
129+
ingress:
130+
- from:
131+
- podSelector:
132+
matchLabels:
133+
networking/allow-all-connections: "true"
134+
----
135+
136+
.. Apply the network policy by entering the following command:
137+
+
138+
[source,terminal]
139+
----
140+
$ oc apply -f allow-ingress-from-new.yaml -n project_c
141+
----
142+
143+
.. Create the following `allow-ingress-to-new` network policy, which allows pods in this project the ability to send ingress to a new project:
144+
+
145+
[source,yaml]
146+
----
147+
apiVersion: networking.k8s.io/v1
148+
kind: NetworkPolicy
149+
metadata:
150+
name: allow-ingress-to-new
151+
spec:
152+
podSelector:
153+
matchLabels:
154+
networking/allow-all-connections: "true"
155+
policyTypes:
156+
- Ingress
157+
ingress:
158+
- from:
159+
- podSelector: {}
160+
----
161+
162+
.. Apply the network policy by entering the following command:
163+
+
164+
[source,terminal]
165+
----
166+
$ oc apply -f allow-ingress-tp-new.yaml -n project_c
167+
----
168+
169+
.. Apply the `networking/allow-all-connections=true` to pods in `project-c` that you want to be able to communicate with pods in `project-a` by running the following command:
170+
+
171+
[source,terminal]
172+
----
173+
$ oc label pod busybox-pod networking/allow-all-connections=true -n project_c
174+
----
175+
176+
.Verification
177+
Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,85 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * networking/network_security/network_policy/creating-network-policy.adoc
4+
5+
:_mod-docs-content-type: PROCEDURE
6+
[id="nw-networkpolicy-configuring-internet-egress-pods_{context}"]
7+
= Configuring internet egress for pods
8+
9+
With the deny all egress network policy created in a namespace, pods within that namespace are made incapable of reaching _out_ to the internet. In most cases, at least some pods within a namespace will need the able to reach external traffic.
10+
11+
The following procedure shows you how to designate labels to pods that require internet egress.
12+
13+
.Prerequisites
14+
15+
* You have created a network policy to deny all egress traffic.
16+
.Procedure
17+
18+
. Create the following `internet-egress.yaml` file that both defines a network policy that allows traffic from pods with the matching label to access internet egress. For example:
19+
+
20+
[source,yaml]
21+
----
22+
apiVersion: networking.k8s.io/v1
23+
kind: NetworkPolicy
24+
metadata:
25+
name: internet-egress
26+
spec:
27+
podSelector:
28+
matchLabels:
29+
networking/allow-internet-egress: "true" <1>
30+
egress:
31+
- {}
32+
policyTypes:
33+
- Egress
34+
----
35+
36+
. Apply the network policy by entering the following command:
37+
+
38+
[source,terminal]
39+
----
40+
$ oc apply -f internet-egress.yaml -n <namespace_a>
41+
----
42+
+
43+
.Example output
44+
+
45+
[source,terminal]
46+
----
47+
networkpolicy.networking.k8s.io/internet-egress created
48+
----
49+
+
50+
Repeat this step for each namespace that requires this network policy.
51+
52+
. Apply the `allow-internet-egress` label to pods that require egress by entering the following command:
53+
+
54+
[source,terminal]
55+
----
56+
$ oc label pod <pod_name> networking/allow-internet-egress=true -n <namespace_a>
57+
----
58+
+
59+
.Example output
60+
+
61+
[source,terminal]
62+
----
63+
pod/<pod_name> labeled
64+
----
65+
+
66+
Repeat this step for each pod that requires internet egress.
67+
68+
.Verification
69+
70+
* Check whether a labeled pod in a namespace where you applied the `internet-egress.yaml` network policy can resolve a DNS name by entering the following command:
71+
+
72+
[source,terminal]
73+
----
74+
$ oc exec -it <pod_name> -n <namespace_a> -- nslookup google.com
75+
----
76+
+
77+
.Example output
78+
+
79+
[source,terminal]
80+
----
81+
...
82+
Name: google.com
83+
Address: 142.250.125.102
84+
...
85+
----
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
4+
5+
:_mod-docs-content-type: REFERENCE
6+
[id="nw-networkpolicy-cross-namespace-communication_{context}"]
7+
= Creating a network policy for cross-namespace communication
8+
9+
To allow pod-to-pod communication across namespaces, you must create a label for the primary namespace and add a `namespaceSelector` query and a `podSelector` query.
10+
11+
.Prerequisites
12+
13+
* You have created the `deny-by-default` network policy and applied it to all necessary namespaces.
14+
* You have created an `internet-access` network policy and applied it to all necessary namespaces.
15+
16+
.Procedure
17+
18+
. Create the following `allow-n1-a-to-n2-b` network policy to allow pods across namespaces to communicate with each other. With this YAML, pods in *Deployment A* in the `N1` namespace can communicate with pods in *Deployment B* in the `N2` namespace. Save the YAML in the `allow-n1-a-to-n2-b` file:
19+
+
20+
[source,yaml]
21+
----
22+
apiVersion: networking.k8s.io/v1
23+
kind: NetworkPolicy
24+
metadata:
25+
name: allow-n1-a-to-n2-b
26+
namespace: project-b
27+
spec:
28+
podSelector:
29+
matchLabels:
30+
app: test # this label goes on pods in project-b
31+
policyTypes:
32+
- Ingress
33+
ingress:
34+
- from:
35+
- namespaceSelector:
36+
matchLabels:
37+
networking/namespace: n1 # label on namespace project-a
38+
podSelector:
39+
matchLabels:
40+
app: test-pod # this label goes on pods in project-a
41+
----
42+
43+
. Apply the `allow-n1-a-to-n2-b` network policy to the `N2` namespace by running the following command:
44+
+
45+
[source,terminal]
46+
----
47+
$ oc apply -f allow-n1-a-to-n2-b.yaml -n <namespace_two>
48+
----
49+
50+
.Verification
51+
52+

modules/nw-networkpolicy-deny-all-allowed.adoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
// * networking/multiple_networks/configuring-multi-network-policy.adoc
44
// * networking/network_security/network_policy/creating-network-policy.adoc
55
// * microshift_networking/microshift-creating-network-policy.adoc
6+
// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc
67

78
:name: network
89
:role: admin

0 commit comments

Comments
 (0)