Details
Description
1. Proposed title of this feature request
Feature-Request: Further restricting default NetworkPolicy for multitenant environments
2. What is the nature and description of the request?
When using OpenShift Service Mesh in multitenant environments, it's required to further restrict NetworkPolicy created by default. Currently we only restrict to certain ports. But considering a OpenShift Container Platform - environment with multiple tenants, we can not allow different tenants to access resources from the other tenant, thus requiring the NetworkPolicy to restrict access on additional criteria.
For example, for most resources only members of the same Mesh should have access and thus access should be restricted to these particular namespaces. For IngressController accesss, we need to consider router sharding and hence allow selecting the IngressController where things should be exposed and again only allow access from the same and not all IngressController.
3. Why does the customer need this? (List the business requirements here)
Having restrictive NetworkPolicy is a key requirement in multitenant environments and also financial sector. It's required there to make sure only namespaces required have access to the resources from the Service Mesh Control-Plane and nobody else.
4. List any affected packages or components.
OpenShift Service Mesh Operator
Attachments
Issue Links
- is related to
-
MAISTRA-2236 Make istio-mesh-full NetworkPolicy optional
-
- Closed
-