-
Story
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
None
-
False
-
None
-
False
-
-
-
NetObserv - Sprint 251, NetObserv - Sprint 252, NetObserv - Sprint 253
A network policy is provided as an example here: https://github.com/netobserv/documents/blob/main/examples/lockdown-netobserv.yaml
We should make the operator able to deploy such a policy, via a config flag enabled by default.
This example policy should work when all netobserv workloads are deployed in the same namespace (or *-privileged for agents) but for this task we should cover more cases such as when Loki or Kafka are deployed in other namespaces.
When possible, the operator should detect which namespaces are used, and automatically include them in the generated policy (e.g. by using LokiStack config)
So the new spec would be like:
.spec.deployNetworkPolicy.enable bool // default true .spec.deployNetworkPolicy.additionalNamespaces []string // default [openshift-console, openshift-monitoring]
Open questions:
- what about kube API server? Current policy example doesn't mention it, however it seems necessary for FLP ?
- what about loki-to-S3, when loki is in the same namespace ?