-
Story
-
Resolution: Done
-
Critical
-
None
-
None
-
False
-
None
-
False
-
The Network Observability operator is now able to deploy network policies to the namespaces used by the netobserv components. This policy restricts the ingress traffic.
-
-
-
5
-
NetObserv - Sprint 251, NetObserv - Sprint 252, NetObserv - Sprint 253, NetObserv - Sprint 254, NetObserv - Sprint 255, NetObserv - Sprint 256, NetObserv - Sprint 257
A network policy is provided as an example here: https://github.com/netobserv/documents/blob/main/examples/lockdown-netobserv.yaml
We should make the operator able to deploy such a policy, via a config flag enabled by default.
This example policy should work when all netobserv workloads are deployed in the same namespace (or *-privileged for agents) but for this task we should cover more cases such as when Loki or Kafka are deployed in other namespaces.
When possible, the operator should detect which namespaces are used, and automatically include them in the generated policy (e.g. by using LokiStack config)
So the new spec would be like:
.spec.deployNetworkPolicy.enable bool // default true .spec.deployNetworkPolicy.additionalNamespaces []string // default [openshift-console, openshift-monitoring]
Open questions:
- what about kube API server? Current policy example doesn't mention it, however it seems necessary for FLP ?
- what about loki-to-S3, when loki is in the same namespace ?
=> answer: we currently limit this to ingress only policy so no need for kubeAPI/export stuff
- links to
-
RHSA-2024:135231
Network Observability 1.7.0 for OpenShift
- mentioned on
