Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 1. Understanding network policy APIs
Network policy is defined using both cluster-scoped and namespace-scoped network policy APIs. By defining network policy across these different levels, you can create sophisticated network security configurations for your clusters, including full multi-tenant isolation.
1.1. Network policies and their scope
- Cluster-scoped network policy
Cluster and network administrators can use the AdminNetworkPolicy to define network policy at the cluster level. The AdminNetworkPolicy feature consists of two APIs: the
AdminNetworkPolicyAPI andBaselineAdminNetworkPolicyAPI. These APIs are used to set rules that can be applied to the entire cluster, or delegated to the namespace-scopedNetworkPolicy.Policies defined using the
AdminNetworkPolicyAPI take precedence over all other policy types when set to "Allow" or "Deny". However, administrators can also use "Pass" to delegate responsibility for a given policy to the namespace-scopedNetworkPolicyto allow application developers and namespace tenants to control specific aspects of network security for their projects.Policies defined using the
BaselineAdminNetworkPolicyAPI apply only when no other network policy overrides them. When you use theAdminNetworkPolicyAPI to delegate an aspect of network policy to the namespace-scopedNetworkPolicy, you should also define a sensible minimum restriction in theBaselineAdminNetworkPolicy. This ensures a baseline level of network security at the cluster level in case theNetworkPolicyfor a namespace does not provide sufficient protection.- Namespace-scoped network policy
-
Application developers and namespace tenants can use the
NetworkPolicyAPI to define network policy rules for a specific namespace. Rules in theNetworkPolicyfor a namespace take precedence over cluster-wide rules configured using the BaselineAdminNetworkPolicy API, or for a cluster-wide rule that that has been delegated or "passed" from the cluster-wideAdminNetworkPolicyAPI.
1.2. How network policy is evaluated and applied
When a network connection is established, the network provider (default: OVN-Kubernetes) checks the connection details against network policy rules to determine how to handle the connection.
OVN-Kubernetes evaluates connections against network policy objects in the following order:
Check for matches in the AdminNetworkPolicy tier.
-
If a connection matches an
AlloworDenyrule, follow that rule and stop evaluating. -
If a connection matches a
Passrule, move to the NetworkPolicy tier.
-
If a connection matches an
Check for matches in the NetworkPolicy tier.
- If a connection matches a rule, follow that rule and stop evaluating.
- If no match is found, move to the BaselineAdminNetworkPolicy tier.
- Follow a matching rule in the BaselineAdminNetworkPolicy tier.
Figure 1.1. Evaluation of network policies by OVN-Kubernetes
1.3. Key differences between AdminNetworkPolicy and NetworkPolicy custom resources
The following table explains key differences between the cluster scoped AdminNetworkPolicy API and the namespace scoped NetworkPolicy API.
| Policy elements | AdminNetworkPolicy | NetworkPolicy |
|---|---|---|
| Applicable user | Cluster administrator or equivalent | Namespace owners |
| Scope | Cluster | Namespace |
| Drop traffic |
Supported with an explicit |
Supported via implicit |
| Delegate traffic |
Supported with an | Not applicable. |
| Allow traffic |
Supported with an explicit | The default action for all rules is to allow. |
| Rule precedence within the policy | Depends on the order in which they appear within an ANP. The higher the rule’s position the higher the precedence. | Rules are additive. |
| Policy precedence |
Among ANPs the | There is no policy ordering between policies. |
| Feature precedence | Evaluated first via tier 1 ACL and BANP is evaluated last via tier 3 ACL. | Enforced after ANP and before BANP, they are evaluated in tier 2 of the ACL. |
| Matching pod selection | Can apply different rules across namespaces. | Can apply different rules across pods in single namespace. |
| Cluster egress traffic |
Supported via |
Supported through |
| Cluster ingress traffic | Not supported. | Not supported. |
| Fully qualified domain names (FQDN) peer support | Not supported. | Not supported. |
| Namespace selectors |
Supports advanced selection of Namespaces with the use of |
Supports label based namespace selection with the use of |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}