Red Hat Summitこのコンテンツは選択した言語では利用できません。
Chapter 2. Network policies
A cluster hosts two types of projects:
- Projects associated with managed services. These projects support inbound and outbound connections.
- User projects. These projects support communication from managed services.
In OpenShift Dedicated, there are two approaches to enabling communications:
- Using network policies
-
Using the
join-projectoption of theoccommand
In OpenShift API Management, you can use network policies to enable communication and allow 3scale to communicate directly with the service endpoint, instead of the external URL.
You cannot use the join-projects option of the oc command with managed services projects.
2.1. Enabling communication between managed services and customer applications
You can create NetworkPolicy objects to define granular rules describing the Ingress network traffic that is allowed for projects in your cluster. By default, when you create projects in a cluster, communication between the projects is disabled.
This procedure describes how to enable communication for a project so that managed services, such as 3scale, can access customer applications.
Prerequisites
-
You have installed the OpenShift command-line interface (CLI), commonly known as
oc.
Procedure
-
Log in to the cluster using the
oclogin command. Use the following command to change the project:
oc project <project_name>
$ oc project <project_name>Copy to Clipboard Copied! where
<project_name>is the name of a project that you want to accept communications from other projects.Create a
NetworkPolicyobject:-
Create a
allow-from-middleware-namespaces.yamlfile. Define a policy in the file you just created, such as in the following example:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-middleware-namespaces spec: podSelector: ingress: - from: - namespaceSelector: matchLabels: integreatly-middleware-service: 'true'apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-middleware-namespaces spec: podSelector: ingress: - from: - namespaceSelector: matchLabels: integreatly-middleware-service: 'true'Copy to Clipboard Copied! Run the following command to create the policy object:
oc create -f allow-from-middleware-namespaces.yaml -n <project>
$ oc create -f allow-from-middleware-namespaces.yaml -n <project> networkpolicy "allow-from-middleware-namespaces" createdCopy to Clipboard Copied!
-
Create a
2.2. Enabling communication between managed services and projects
By default, when you create projects in a cluster, communication between the projects is disabled. Use this procedure to enable communication in a project.
Prerequisites
-
You have installed the OpenShift command-line interface (CLI), commonly known as
oc.
Procedure
-
Log in to the cluster using the
oclogin command. Use the following command to change the project:
oc project <project_name>
$ oc project <project_name>Copy to Clipboard Copied! where
<project_name>is the name of a project that you want to accept communications from other projects.Create a NetworkPolicy object:
-
Create a
NetworkPolicy.yamlfile. Define a policy in the file you just created, such as in the following example.
This policy enables incoming communication for all projects in the cluster:
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-all spec: podSelector: ingress: - {}kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-all spec: podSelector: ingress: - {}Copy to Clipboard Copied! NoteThis policy configuration enables this project to communicate with all projects in the cluster.
Run the following command to create the policy object:
oc create -f <policy-name>.yaml -n <project>
$ oc create -f <policy-name>.yaml -n <project>Copy to Clipboard Copied!
-
Create a
2.3. Enabling communication between customer applications
You can enable communication between user applications.
Prerequisites
-
You have installed the OpenShift command-line interface (CLI), commonly known as
oc.
Procedure
-
Log in to the cluster using the
oclogin command. Use the following command to change the project:
oc project <project_name>
$ oc project <project_name>Copy to Clipboard Copied! <project_name>is the name of a project that you want to accept communications from.Create a NetworkPolicy object:
-
Create a
allow-from-myproject-namespace.yamlfile. Define a policy in the file you just created, such as in the following example.
This policy enables incoming communication for a specific project (
myproject):apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-myproject-namespace spec: podSelector: ingress: - from: - namespaceSelector: matchLabels: project: myprojectapiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-myproject-namespace spec: podSelector: ingress: - from: - namespaceSelector: matchLabels: project: myprojectCopy to Clipboard Copied!
-
Create a
Run the following commands to create the policy object:
oc create -f allow-from-myproject-namespace.yaml -n <project>
$ oc create -f allow-from-myproject-namespace.yaml -n <project> networkpolicy "allow-from-myproject-namespace" createdCopy to Clipboard Copied!
2.4. Disabling communication from a managed service to a project
By default, projects are created with a template that allows communication from a managed service. For example, 3scale can communicate with all of your projects.
You can disable the communication from a managed service to a project.
Prerequisites
-
You have installed the OpenShift command-line interface (CLI), commonly known as
oc - You have a project you want to isolate from the managed services.
Procedure
-
Log in to the cluster using the
oclogin command. Use the following command to change the project:
oc project <project_name>
$ oc project <project_name>Copy to Clipboard Copied! where
<project_name>is the name of a project that you want to isolate from the managed services.Create a NetworkPolicy object:
-
Create a
deny-all.yamlfile. Define a policy in the file you just created, such as in the following example:
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: deny-all spec: podSelector: {} ingress: - from: - namespaceSelector: matchLabels: integreatly-middleware-service: 'true'kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: deny-all spec: podSelector: {} ingress: - from: - namespaceSelector: matchLabels: integreatly-middleware-service: 'true'Copy to Clipboard Copied! Run the following command to create the policy object:
oc create -f <policy-name>.yaml -n <project>
$ oc create -f <policy-name>.yaml -n <project>Copy to Clipboard Copied!
-
Create a
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}