-
Story
-
Resolution: Done
-
Major
-
None
-
None
-
Product / Portfolio Work
-
False
-
-
False
-
3
-
None
-
None
-
CLOUD Sprint 273, CLOUD Sprint 274, CLOUD Sprint 275
Background
Based on the content of this guidance, we must provide network policies in 4.20 that will define pod to pod ingress/egress within particular namespaces.
We need to evaluate all valid connections between ports and create default deny rules, that then add explicit allowances for the inter-pod traffic that we need to keep the system functioning.
Valid traffic might be:
- Webhooks
- Metrics
- Requests to API servers
Note that pods on host networks are not affected by network policies, and so any ports/communication they make will not be affected by the policies.
Steps
- Review the network policy guidance documentation
- Set up network policies for the appropriate namespaces
- Set up the appropriate rules in the network policies
Stakeholders
- Cluster Infra
- Ben Bennet (networking contact)
Definition of Done
- OpenShift deploys network policies for the associated namespaces
- Docs
- <Add docs requirements for this card>
- Testing
- <Explain testing that will be added>
- clones
-
OCPCLOUD-2979 Develop bespoke network policies for CAPI namespaces
-
- Closed
-
- links to