Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-2236

Make istio-mesh-full NetworkPolicy optional



    • Story
    • Resolution: Done
    • Major
    • maistra-2.1.1
    • None
    • None
    • None
    • 8
    • Sprint 14


      As descried in https://maistra.io/docs/ossm-vs-community.html#ossm-mt-vs-clusterwide_ossm-vs-istio Maistra creates by default a NetworkPolicy called istio-mesh-full{-install} allowing ingress to all pods from the other members and the control plane.

      This introduces an issue because it overrides any existing NetworkPolicies.

      Imagine that we originally have two namespaces - A and B. Namespace A contains application X and namespace B applications Y,Z. Currently an existing NetworkPolicy allows traffic from A{X} to application B{Y} but not to B{Z}.

      Once namespaces A and B both join the Service Mesh (and get the istio-mesh-full NetworkPolicy) this separation gets overridden and suddenly A{X} has unrestricted access to B{Z}.

      A solution could be to make adding the istio-mesh-full NetworkPolicy optional (can be added by default but opt-out should be possible) so that the existing separation won't be altered. 


      Acceptance Criteria:

      • SMCP option that allows users to disable management of NetworkPolicy resources
        • if NetworkPolicy management is disabled,
          • all NetworkPolicy resources previously created by the operator are deleted,
          • the operator does not creates new NetworkPolicy resources
        • if NetworkPolicy management is enabled (this is the default),
          • the behavior will stay the same as it is today (operator creates NPs in member namespaces)
      • Documentation that explains the potential problems disabling NetworkPolicy management might cause


        Issue Links



              piotr.marcinkowski@s-itsolutions.at Piotr Marcinkowski (Inactive)
              piotr.marcinkowski@s-itsolutions.at Piotr Marcinkowski (Inactive)
              1 Vote for this issue
              13 Start watching this issue