Details
-
Story
-
Resolution: Done
-
Major
-
None
-
None
-
None
-
8
-
False
-
False
-
Compatibility/Configuration, User Experience
-
Undefined
-
Sprint 14
Description
As descried in https://maistra.io/docs/ossm-vs-community.html#ossm-mt-vs-clusterwide_ossm-vs-istio Maistra creates by default a NetworkPolicy called istio-mesh-full{-install} allowing ingress to all pods from the other members and the control plane.
This introduces an issue because it overrides any existing NetworkPolicies.
Imagine that we originally have two namespaces - A and B. Namespace A contains application X and namespace B applications Y,Z. Currently an existing NetworkPolicy allows traffic from A{X} to application B{Y} but not to B{Z}.
Once namespaces A and B both join the Service Mesh (and get the istio-mesh-full NetworkPolicy) this separation gets overridden and suddenly A{X} has unrestricted access to B{Z}.
A solution could be to make adding the istio-mesh-full NetworkPolicy optional (can be added by default but opt-out should be possible) so that the existing separation won't be altered.
Acceptance Criteria:
- SMCP option that allows users to disable management of NetworkPolicy resources
- if NetworkPolicy management is disabled,
- all NetworkPolicy resources previously created by the operator are deleted,
- the operator does not creates new NetworkPolicy resources
- if NetworkPolicy management is enabled (this is the default),
- the behavior will stay the same as it is today (operator creates NPs in member namespaces)
- if NetworkPolicy management is disabled,
- Documentation that explains the potential problems disabling NetworkPolicy management might cause
Attachments
Issue Links
- is documented by
-
-
- Closed
-
-
OSSM-2913 Make NetworkPolicy optional
-
- Closed
-
- is duplicated by
-
-
- Closed
-
- relates to
-
-
- Closed
-
