Details
-
Story
-
Resolution: Done
-
Normal
-
None
-
None
-
None
-
False
-
None
-
False
-
Needs to be completed for OSD to fully validate OSD-13219
-
Hypershift Sprint 20, Hypershift Sprint 21, Hypershift Sprint 22
-
0
-
0
-
0
Description
Continuing from OSD-13219, we would like to limit the network traffic as much as we can to follow security best practices. The following Network policy should be added to HCP namespaces to limit traffic flow between HCP namespaces (note blocking traffic using ingress network policy for kas was not practical in HOSTEDCP-557):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
annotations:
hypershift.openshift.io/cluster: clusters/kartrosa2-29529
name: kas-egress-block
namespace: clusters-kartrosa2-29529
spec:
podSelector:
matchLabels:
app: kube-apiserver
policyTypes:
- Egress
egress:
- to:
- podSelector: {}
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
The name can be changed to something more appropriate. This has been tested on a test management cluster which had a public loadbalancer kas HCP service and we did not see any functionality affected.
Acceptance Criteria:
- A network policy to block all egress traffic (apart from traffic to openshift-dns) is blocked to limit network flow between HCP namespaces
Attachments
Issue Links
- is triggering
-
-
- Closed
-
- links to
