Add support for NetworkPolicy

Question

Add support for NetworkPolicy

gysel opened this issue 3 years ago · comments

I'd like to use a NetworkPolicy to restrict access from the default namespace into my project's namespace.

I use the following policy to allow the Router to send traffic to a set of pods:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: openshift-router-nginx
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: default
  podSelector:
    matchLabels:
      component: nginx
  policyTypes:
  - Ingress

Unfortunately the exposer pods in the projects namespace to not contain labels I can use to set up a NetworkPolicy. The only option I have is to allow traffic to all pods from the default namespace.

Labels:             app=exposer-6kro17vt8umfvlbh0huarjn5a5q341g2epo70mj4m6nh1oqtlh10

I would suggest to add a new label component=acme (or similar) to allow the definition of a NetworkPolicy like the following.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: openshift-router-acme
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: default
  podSelector:
    matchLabels:
      component: acme
  policyTypes:
  - Ingress

@tnozicka

Hubert FONGARNAND commented 3 years ago

/reopen.

Michi Gysel · Answer 1 · Thu Jan 28 2021 17:52:12 GMT+0800 (China Standard Time)

PR #125 would solve it as well, but unfortunately it has not been merged.

Hubert FONGARNAND · Answer 2 · Tue Feb 16 2021 16:44:59 GMT+0800 (China Standard Time)

Yes, i've created this branch, with this little changes. I don't know why it has not been merged...

OpenShift Bot · Answer 3 · Mon May 17 2021 21:28:47 GMT+0800 (China Standard Time)

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

OpenShift Bot · Answer 4 · Thu Jun 17 2021 01:09:29 GMT+0800 (China Standard Time)

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

OpenShift Bot · Answer 5 · Sat Jul 17 2021 21:58:03 GMT+0800 (China Standard Time)

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci · Answer 6 · Sat Jul 17 2021 21:58:04 GMT+0800 (China Standard Time)

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.