Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5820

RHACS Support for EgressNetworkPolicy CR in Network Graph

XMLWordPrintable

    • False
    • None
    • False

      Openshift Default SDN CNI provider does not support the upstream api object for network policies when it comes to egress rules. Instead it leverage a CR called EgressNetworkPolicy from the network.openshift.io/v1 api. 

      https://docs.openshift.com/container-platform/4.11/networking/openshift_sdn/configuring-egress-firewall.html

      Horizon BCBS of NJ is in the process of defining project-based deny all egress policies and their security team would like to be able to monitor those network policies to ensure that they are in place using ACS's network graph. 

      The initial feature request would be to ingest and populate the network policies from these CRs and visualize them in the Pod --> Network Policy view. 

      Once this is in place, the customer would also like the ability to create a policy rule (similar to the one we have for "At least one ingress rule" today) that detects whether a default egress rule is missing from their projects. 

      Considering Openshift's CNIs leverage this egress policy CR instead of the upstream API we should consider prioritizing support for this as it will impact any customer with the same use case

              rh-ee-masimonm Maria Simon Marcos
              ebannon@redhat.com Eric Bannon (Inactive)
              Anjali Telang, Boaz Michaely, Doron Caspin, JP Jung, Maria Simon Marcos, Shubha Badve
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: