Background

Based on the content of this guidance, we must provide network policies in 4.20 that will define pod to pod ingress/egress within particular namespaces.

We need to evaluate all valid connections between ports and create default deny rules, that then add explicit allowances for the inter-pod traffic that we need to keep the system functioning.

Valid traffic might be:

• Webhooks
• Metrics
• Requests to API servers

Note that pods on host networks are not affected by network policies, and so any ports/communication they make will not be affected by the policies.

Notably for CCM this means that the CCM related namespaces just need default deny rules.

Steps

• Review the network policy guidance documentation
• Set up network policies for the appropriate namespaces
• Set up the appropriate rules in the network policies

Stakeholders

• Cluster Infra
• Ben Bennet (networking contact)

Definition of Done

• OpenShift deploys network policies for the associated namespaces

• Docs

• <Add docs requirements for this card>

• Testing

• <Explain testing that will be added>