Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-1354

Specific label for default namespace if endpoint publishing strategy is HostNetwork

XMLWordPrintable

    • False
    • False
    • Undefined

      As of now `network.openshift.io/policy-group: ingress` label is not given by default if endpoint publishing strategy is HostNetwork. The `hostnetwork` pods are not running on the SDN, and the traffic they generate always has VNI 0, so we have to expose the `default` namespace by appending the label `network.openshift.io/policy-group: ingress` in order to allow the incoming connections from different pods while using a NetworkPolicy.

      So it would be great if we could label the default namespace if that will be the only one with the 0 netID,  like `network.openshift.io/policy-group: hostnetwork` or something like that, because for instance when the operator deploys a product, and when we need some way to allow for traffic from the routers to reach our services in our namespace. At the moment, the way we do this is by allowing traffic from the namespace with the label "network.openshift.io/policy-group: ingress".

      The network policy looks like this:

      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        name: allow-from-openshift-ingress
      spec:
        ingress:
        - from:
          - namespaceSelector:
              matchLabels:
                network.openshift.io/policy-group: ingress
        - ports:
          - protocol: TCP
            port: <port>
        podSelector:
          matchLabels:
            <the right pods>
        policyTypes:
        - Ingress
      

      The problem we have is this fails. The definition of that network policy should allow for access from all pods in that namespace, but it does not. And the reason is that the router pods are on the host network - but that means that the NetworkPolicy object is not fulfilling its contract, and the workaround here is to label the default namespace, but that requires that customers take extra steps, and still leaves us opening more network flows that we require, which is not ideal for security.

      Hence, to overcome this issue it would be great if could a default label such as `network.openshift.io/policy-group: hostnetwork` or something like on the default namespace.

              mcurry@redhat.com Marc Curry
              rhn-support-rabdulra Rejeeb Abdul Rahiman (Inactive)
              Votes:
              7 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: