-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.22
-
None
-
None
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
We should clarify to users that OCP itself does not set any
NetworkPolicy for egress routers, meaning that by default, an egress
router can be accessed by pods in any namespace. If the user wants to
restrict who can access the egress router, they should create a
NetworkPolicy in the same namespace as the egress router, like so:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: egress-router-policy
spec:
podSelector:
matchLabels:
app: egress-router-cni
ingress:
# Allow pods in namespace "foo" to access port 8080
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: foo
ports:
- port: 8080
# Allow all pods to access port 9090
- ports:
- port: 9090
# Nothing else is allowed
Version-Release number of selected component (if applicable):
All OCP versions