Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 2. Network policies

A cluster hosts two types of projects:

  • Projects associated with managed services. These projects support inbound and outbound connections.
  • User projects. These projects support communication from managed services.

In OpenShift Dedicated, there are two approaches to enabling communications:

  • Using network policies
  • Using the join-project option of the oc command

In OpenShift API Management, you can use network policies to enable communication and allow 3scale to communicate directly with the service endpoint, instead of the external URL.

You cannot use the join-projects option of the oc command with managed services projects.

2.1. Enabling communication between managed services and customer applications
Copiar o link

You can create NetworkPolicy objects to define granular rules describing the Ingress network traffic that is allowed for projects in your cluster. By default, when you create projects in a cluster, communication between the projects is disabled.

This procedure describes how to enable communication for a project so that managed services, such as 3scale, can access customer applications.

Prerequisites

  • You have installed the OpenShift command-line interface (CLI), commonly known as oc.

Procedure

  1. Log in to the cluster using the oc login command.

  2. Use the following command to change the project: 

    $ oc project <project_name>
    Copy to Clipboard Toggle word wrap

    where <project_name> is the name of a project that you want to accept communications from other projects.

  3. Create a NetworkPolicy object:

    1. Create a allow-from-middleware-namespaces.yaml file.

    2. Define a policy in the file you just created, such as in the following example: 

      apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-middleware-namespaces
spec:
  podSelector:
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              integreatly-middleware-service: 'true'
      Copy to Clipboard Toggle word wrap

    3. Run the following command to create the policy object: 

      $ oc create -f allow-from-middleware-namespaces.yaml -n <project>

networkpolicy "allow-from-middleware-namespaces" created
      Copy to Clipboard Toggle word wrap

2.2. Enabling communication between managed services and projects
Copiar o link

By default, when you create projects in a cluster, communication between the projects is disabled. Use this procedure to enable communication in a project.

Prerequisites

  • You have installed the OpenShift command-line interface (CLI), commonly known as oc.

Procedure

  1. Log in to the cluster using the oc login command.

  2. Use the following command to change the project: 

    $ oc project <project_name>
    Copy to Clipboard Toggle word wrap

    where <project_name> is the name of a project that you want to accept communications from other projects.

  3. Create a NetworkPolicy object:

    1. Create a NetworkPolicy.yaml file.

    2. Define a policy in the file you just created, such as in the following example.

      This policy enables incoming communication for all projects in the cluster: 

      kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-all
spec:
  podSelector:
  ingress:
  - {}
      Copy to Clipboard Toggle word wrap
      Note

      This policy configuration enables this project to communicate with all projects in the cluster.

    3. Run the following command to create the policy object: 

      $ oc create -f <policy-name>.yaml -n <project>
      Copy to Clipboard Toggle word wrap

2.3. Enabling communication between customer applications
Copiar o link

You can enable communication between user applications.

Prerequisites

  • You have installed the OpenShift command-line interface (CLI), commonly known as oc.

Procedure

  1. Log in to the cluster using the oc login command.

  2. Use the following command to change the project: 

    $ oc project <project_name>
    Copy to Clipboard Toggle word wrap

    <project_name> is the name of a project that you want to accept communications from.

  3. Create a NetworkPolicy object:

    1. Create a allow-from-myproject-namespace.yaml file.

    2. Define a policy in the file you just created, such as in the following example.

      This policy enables incoming communication for a specific project (myproject): 

      apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-myproject-namespace
spec:
  podSelector:
  ingress:
    - from:
        - namespaceSelector:
             matchLabels:
               project: myproject
      Copy to Clipboard Toggle word wrap

  4. Run the following commands to create the policy object: 

    $ oc create -f allow-from-myproject-namespace.yaml -n <project>
networkpolicy "allow-from-myproject-namespace" created
    Copy to Clipboard Toggle word wrap

2.4. Disabling communication from a managed service to a project
Copiar o link

By default, projects are created with a template that allows communication from a managed service. For example, 3scale can communicate with all of your projects.

You can disable the communication from a managed service to a project.

Prerequisites

  • You have installed the OpenShift command-line interface (CLI), commonly known as oc
  • You have a project you want to isolate from the managed services.

Procedure

  1. Log in to the cluster using the oc login command.

  2. Use the following command to change the project: 

    $ oc project <project_name>
    Copy to Clipboard Toggle word wrap

    where <project_name> is the name of a project that you want to isolate from the managed services.

  3. Create a NetworkPolicy object:

    1. Create a deny-all.yaml file.

    2. Define a policy in the file you just created, such as in the following example: 

      kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: deny-all
spec:
  podSelector: {}
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              integreatly-middleware-service: 'true'
      Copy to Clipboard Toggle word wrap

    3. Run the following command to create the policy object: 

      $ oc create -f <policy-name>.yaml -n <project>
      Copy to Clipboard Toggle word wrap
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat