This documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.Este conteúdo não está disponível no idioma selecionado.
Chapter 6. Network policy
6.1. About network policy
As a cluster administrator, you can define network policies that restrict traffic to Pods in your cluster.
6.1.1. About network policy
In a cluster using a Kubernetes Container Network Interface (CNI) plug-in that supports Kubernetes network policy, network isolation is controlled entirely by NetworkPolicy Custom Resource (CR) objects. In OpenShift Container Platform 4.3, OpenShift SDN supports using NetworkPolicy in its default network isolation mode.
						The Kubernetes v1 NetworkPolicy features are available in OpenShift Container Platform except for egress policy types and IPBlock.
					
Network policy does not apply to the host network namespace. Pods with host networking enabled are unaffected by NetworkPolicy object rules.
By default, all Pods in a project are accessible from other Pods and network endpoints. To isolate one or more Pods in a project, you can create NetworkPolicy objects in that project to indicate the allowed incoming connections. Project administrators can create and delete NetworkPolicy objects within their own project.
If a Pod is matched by selectors in one or more NetworkPolicy objects, then the Pod will accept only connections that are allowed by at least one of those NetworkPolicy objects. A Pod that is not selected by any NetworkPolicy objects is fully accessible.
The following example NetworkPolicy objects demonstrate supporting different scenarios:
- Deny all traffic: - To make a project deny by default, add a NetworkPolicy object that matches all Pods but accepts no traffic: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Only allow connections from the OpenShift Container Platform Ingress Controller: - To make a project allow only connections from the OpenShift Container Platform Ingress Controller, add the following NetworkPolicy object: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If the Ingress Controller is configured with - endpointPublishingStrategy: HostNetwork, then the Ingress Controller Pod runs on the host network. When running on the host network, the traffic from the Ingress Controller is assigned the- netid:0Virtual Network ID (VNID). The- netidfor the namespace that is associated with the Ingress Operator is different, so the- matchLabelin the- allow-from-openshift-ingressnetwork policy does not match traffic from the- defaultIngress Controller. Because the- defaultnamespace is assigned the- netid:0VNID, you can allow traffic from the- defaultIngress Controller by labeling your- defaultnamespace with- network.openshift.io/policy-group: ingress.
- Only accept connections from Pods within a project: - To make Pods accept connections from other Pods in the same project, but reject all other connections from Pods in other projects, add the following NetworkPolicy object: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Only allow HTTP and HTTPS traffic based on Pod labels: - To enable only HTTP and HTTPS access to the Pods with a specific label ( - role=frontendin following example), add a NetworkPolicy object similar to the following:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Accept connections by using both namespace and Pod selectors: - To match network traffic by combining namespace and Pod selectors, you can use a NetworkPolicy object similar to the following: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
NetworkPolicy objects are additive, which means you can combine multiple NetworkPolicy objects together to satisfy complex network requirements.
					For example, for the NetworkPolicy objects defined in previous samples, you can define both allow-same-namespace and allow-http-and-https policies within the same project. Thus allowing the Pods with the label role=frontend, to accept any connection allowed by each policy. That is, connections on any port from Pods in the same namespace, and connections on ports 80 and 443 from Pods in any namespace.
				
6.1.2. Next steps
6.1.3. Additional resources
6.2. Creating a network policy
As a cluster administrator, you can create a network policy for a namespace.
6.2.1. Creating a NetworkPolicy object
To define granular rules describing Ingress network traffic allowed for projects in your cluster, you can create NetworkPolicy objects.
Prerequisites
- 
							Your cluster is using a default CNI network provider that supports NetworkPolicy objects, such as the OpenShift SDN network provider with mode: NetworkPolicyset. This mode is the default for OpenShift SDN.
- 
							You installed the OpenShift CLI (oc).
- 
							You are logged in to the cluster with a user with cluster-adminprivileges.
Procedure
- Create a policy rule: - 
									Create a <policy-name>.yamlfile where<policy-name>describes the policy rule.
- In the file you just created define a policy object, such as in the following example: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a name for the policy object.
 
 
- 
									Create a 
- Run the following command to create the policy object: - oc create -f <policy-name>.yaml -n <project> - $ oc create -f <policy-name>.yaml -n <project>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In the following example, a new NetworkPolicy object is created in a project named - project1:- oc create -f default-deny.yaml -n project1 - $ oc create -f default-deny.yaml -n project1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - networkpolicy "default-deny" created - networkpolicy "default-deny" created- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.2.2. Example NetworkPolicy object
The following annotates an example NetworkPolicy object:
- 1
- Thenameof the NetworkPolicy object.
- 2
- A selector describing the Pods the policy applies to. The policy object can only select Pods in the project that the NetworkPolicy object is defined.
- 3
- A selector matching the Pods that the policy object allows ingress traffic from. The selector will match Pods in any project.
- 4
- A list of one or more destination ports to accept traffic on.
6.3. Viewing a network policy
As a cluster administrator, you can view a network policy for a namespace.
6.3.1. Viewing NetworkPolicy objects
You can list the NetworkPolicy objects in your cluster.
Prerequisites
- 
							You installed the OpenShift CLI (oc).
- 
							You are logged in to the cluster with a user with cluster-adminprivileges.
Procedure
- To view NetworkPolicy objects defined in your cluster, run the following command: - oc get networkpolicy - $ oc get networkpolicy- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.3.2. Example NetworkPolicy object
The following annotates an example NetworkPolicy object:
- 1
- Thenameof the NetworkPolicy object.
- 2
- A selector describing the Pods the policy applies to. The policy object can only select Pods in the project that the NetworkPolicy object is defined.
- 3
- A selector matching the Pods that the policy object allows ingress traffic from. The selector will match Pods in any project.
- 4
- A list of one or more destination ports to accept traffic on.
6.4. Editing a network policy
As a cluster administrator, you can edit an existing network policy for a namespace.
6.4.1. Editing a NetworkPolicy object
You can edit a NetworkPolicy object in a namespace.
Prerequisites
- 
							Your cluster is using a default CNI network provider that supports NetworkPolicy objects, such as the OpenShift SDN network provider with mode: NetworkPolicyset. This mode is the default for OpenShift SDN.
- 
							You installed the OpenShift CLI (oc).
- 
							You are logged in to the cluster with a user with cluster-adminprivileges.
Procedure
- Optional: List the current NetworkPolicy objects. - If you want to list the policy objects in a specific namespace, enter the following command. Replace - <namespace>with the namespace for a project.- oc get networkpolicy -n <namespace> - $ oc get networkpolicy -n <namespace>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you want to list the policy objects for the entire cluster, enter the following command: - oc get networkpolicy --all-namespaces - $ oc get networkpolicy --all-namespaces- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Edit the NetworkPolicy object. - If you saved the NetworkPolicy in a file, edit the file and make any necessary changes, and then enter the following command. Replace - <policy-file>with the name of the file containing the object definition.- oc apply -f <policy-file>.yaml - $ oc apply -f <policy-file>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you need to update the NetworkPolicy object directly, you can enter the following command. Replace - <policy-name>with the name of the NetworkPolicy object and- <namespace>with the name of the project where the object exists.- oc edit <policy-name> -n <namespace> - $ oc edit <policy-name> -n <namespace>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Confirm that the NetworkPolicy object is updated. Replace - <namespace>with the name of the project where the object exists.- oc get networkpolicy -n <namespace> -o yaml - $ oc get networkpolicy -n <namespace> -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.4.2. Example NetworkPolicy object
The following annotates an example NetworkPolicy object:
- 1
- Thenameof the NetworkPolicy object.
- 2
- A selector describing the Pods the policy applies to. The policy object can only select Pods in the project that the NetworkPolicy object is defined.
- 3
- A selector matching the Pods that the policy object allows ingress traffic from. The selector will match Pods in any project.
- 4
- A list of one or more destination ports to accept traffic on.
6.4.3. Additional resources
6.5. Deleting a network policy
As a cluster administrator, you can delete a network policy from a namespace.
6.5.1. Deleting a NetworkPolicy object
You can delete a NetworkPolicy object.
Prerequisites
- 
							You installed the OpenShift CLI (oc).
- 
							You are logged in to the cluster with a user with cluster-adminprivileges.
Procedure
- To delete a NetworkPolicy object, enter the following command. Replace - <policy-name>with the name of the object.- oc delete networkpolicy <policy-name> - $ oc delete networkpolicy <policy-name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.6. Creating default network policies for a new project
As a cluster administrator, you can modify the new project template to automatically include NetworkPolicy objects when you create a new project. If you do not yet have a customized template for new projects, you must first create one.
6.6.1. Modifying the template for new projects
As a cluster administrator, you can modify the default project template so that new projects are created using your custom requirements.
To create your own custom project template:
Procedure
- 
							Log in as a user with cluster-adminprivileges.
- Generate the default project template: - oc adm create-bootstrap-project-template -o yaml > template.yaml - $ oc adm create-bootstrap-project-template -o yaml > template.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Use a text editor to modify the generated template.yamlfile by adding objects or modifying existing objects.
- The project template must be created in the - openshift-confignamespace. Load your modified template:- oc create -f template.yaml -n openshift-config - $ oc create -f template.yaml -n openshift-config- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the project configuration resource using the web console or CLI. - Using the web console: - 
											Navigate to the Administration Cluster Settings page. 
- Click Global Configuration to view all configuration resources.
- Find the entry for Project and click Edit YAML.
 
- 
											Navigate to the Administration 
- Using the CLI: - Edit the - project.config.openshift.io/clusterresource:- oc edit project.config.openshift.io/cluster - $ oc edit project.config.openshift.io/cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
 
- Update the - specsection to include the- projectRequestTemplateand- nameparameters, and set the name of your uploaded project template. The default name is- project-request.- Project configuration resource with custom project template - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- After you save your changes, create a new project to verify that your changes were successfully applied.
6.6.2. Adding network policy objects to the new project template
As a cluster administrator, you can add network policy objects to the default template for new projects. OpenShift Container Platform will automatically create all the NetworkPolicy CRs specified in the template in the project.
Prerequisites
- 
							Your cluster is using a default CNI network provider that supports NetworkPolicy objects, such as the OpenShift SDN network provider with mode: NetworkPolicyset. This mode is the default for OpenShift SDN.
- 
							You installed the OpenShift CLI (oc).
- 
							You must log in to the cluster with a user with cluster-adminprivileges.
- You must have created a custom default project template for new projects.
Procedure
- Edit the default template for a new project by running the following command: - oc edit template <project_template> -n openshift-config - $ oc edit template <project_template> -n openshift-config- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Replace - <project_template>with the name of the default template that you configured for your cluster. The default template name is- project-request.
- In the template, add each NetworkPolicy object as an element to the - objectsparameter. The- objectsparameter accepts a collection of one or more objects.- In the following example, the - objectsparameter collection includes several NetworkPolicy objects:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Create a new project to confirm that your network policy objects are created successfully by running the following commands: - Create a new project: - oc new-project <project> - $ oc new-project <project>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Replace<project>with the name for the project you are creating.
 
- Confirm that the network policy objects in the new project template exist in the new project: - oc get networkpolicy - $ oc get networkpolicy NAME POD-SELECTOR AGE allow-from-openshift-ingress <none> 7s allow-from-same-namespace <none> 7s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
6.7. Configuring multitenant mode with network policy
As a cluster administrator, you can configure your network policies to provide multitenant network isolation.
6.7.1. Configuring multitenant isolation using NetworkPolicy
You can configure your project to isolate it from Pods and Services in other project namespaces.
Prerequisites
- 
							Your cluster is using a default CNI network provider that supports NetworkPolicy objects, such as the OpenShift SDN network provider with mode: NetworkPolicyset. This mode is the default for OpenShift SDN.
- 
							You installed the OpenShift CLI (oc).
- 
							You are logged in to the cluster with a user with cluster-adminprivileges.
Procedure
- Create the following NetworkPolicy objects: - A policy named - allow-from-openshift-ingress:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- A policy named - allow-from-openshift-monitoring:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- A policy named - allow-same-namespace:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- If the - defaultIngress Controller configuration has the- spec.endpointPublishingStrategy: HostNetworkvalue set, you must apply a label to the- defaultOpenShift Container Platform namespace to allow network traffic between the Ingress Controller and the project:- Determine if your - defaultIngress Controller uses the- HostNetworkendpoint publishing strategy:- oc get --namespace openshift-ingress-operator ingresscontrollers/default \ --output jsonpath='{.status.endpointPublishingStrategy.type}'- $ oc get --namespace openshift-ingress-operator ingresscontrollers/default \ --output jsonpath='{.status.endpointPublishingStrategy.type}'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If the previous command reports the endpoint publishing strategy as - HostNetwork, set a label on the- defaultnamespace:- oc label namespace default 'network.openshift.io/policy-group=ingress' - $ oc label namespace default 'network.openshift.io/policy-group=ingress'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Confirm that the NetworkPolicy object exists in your current project by running the following command: - oc get networkpolicy <policy-name> -o yaml - $ oc get networkpolicy <policy-name> -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In the following example, the - allow-from-openshift-ingressNetworkPolicy object is displayed:- oc get -n project1 networkpolicy allow-from-openshift-ingress -o yaml - $ oc get -n project1 networkpolicy allow-from-openshift-ingress -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow