-
Feature Request
-
Resolution: Done
-
Major
-
None
-
False
-
False
-
Undefined
-
-
-
-
As of now `network.openshift.io/policy-group: ingress` label is not given by default if endpoint publishing strategy is HostNetwork. The `hostnetwork` pods are not running on the SDN, and the traffic they generate always has VNI 0, so we have to expose the `default` namespace by appending the label `network.openshift.io/policy-group: ingress` in order to allow the incoming connections from different pods while using a NetworkPolicy.
So it would be great if we could label the default namespace if that will be the only one with the 0 netID, like `network.openshift.io/policy-group: hostnetwork` or something like that, because for instance when the operator deploys a product, and when we need some way to allow for traffic from the routers to reach our services in our namespace. At the moment, the way we do this is by allowing traffic from the namespace with the label "network.openshift.io/policy-group: ingress".
The network policy looks like this:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-openshift-ingress spec: ingress: - from: - namespaceSelector: matchLabels: network.openshift.io/policy-group: ingress - ports: - protocol: TCP port: <port> podSelector: matchLabels: <the right pods> policyTypes: - Ingress
The problem we have is this fails. The definition of that network policy should allow for access from all pods in that namespace, but it does not. And the reason is that the router pods are on the host network - but that means that the NetworkPolicy object is not fulfilling its contract, and the workaround here is to label the default namespace, but that requires that customers take extra steps, and still leaves us opening more network flows that we require, which is not ideal for security.
Hence, to overcome this issue it would be great if could a default label such as `network.openshift.io/policy-group: hostnetwork` or something like on the default namespace.
- causes
-
RFE-3743 "Allow-From-Router" NetworkPolicy for all configured IngressController
- Under Review
- links to