Configuring multitenant isolation with network policy

As a cluster administrator, you can configure your network policies to provide multitenant network isolation.

If you are using the OpenShift SDN cluster network provider, configuring network policies as described in this section provides network isolation similar to multitenant mode but with network policy mode set.

Configuring multitenant isolation by using network policy

You can configure your project to isolate it from pods and services in other project namespaces.

Prerequisites

  • Your cluster uses a cluster network provider that supports NetworkPolicy objects, such as the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with admin privileges.

Procedure

  1. Create the following NetworkPolicy objects:

    1. A policy named allow-from-openshift-ingress.

      1. $ cat << EOF| oc create -f -
      2. apiVersion: networking.k8s.io/v1
      3. kind: NetworkPolicy
      4. metadata:
      5.   name: allow-from-openshift-ingress
      6. spec:
      7.   ingress:
      8.   - from:
      9.     - namespaceSelector:
      10.         matchLabels:
      11.           policy-group.network.openshift.io/ingress: ""
      12.   podSelector: {}
      13.   policyTypes:
      14.   - Ingress
      15. EOF

      policy-group.network.openshift.io/ingress: “” is the preferred namespace selector label for OpenShift SDN. You can use the network.openshift.io/policy-group: ingress namespace selector label, but this is a legacy label.

    2. A policy named allow-from-openshift-monitoring:

      1. $ cat << EOF| oc create -f -
      2. apiVersion: networking.k8s.io/v1
      3. kind: NetworkPolicy
      4. metadata:
      5.   name: allow-from-openshift-monitoring
      6. spec:
      7.   ingress:
      8.   - from:
      9.     - namespaceSelector:
      10.         matchLabels:
      11.           network.openshift.io/policy-group: monitoring
      12.   podSelector: {}
      13.   policyTypes:
      14.   - Ingress
      15. EOF

    3. A policy named allow-same-namespace:

      1. $ cat << EOF| oc create -f -
      2. kind: NetworkPolicy
      3. apiVersion: networking.k8s.io/v1
      4. metadata:
      5.   name: allow-same-namespace
      6. spec:
      7.   podSelector:
      8.   ingress:
      9.   - from:
      10.     - podSelector: {}
      11. EOF

  2. Optional: To confirm that the network policies exist in your current project, enter the following command:

    1. $ oc describe networkpolicy

    Example output

    ``` Name: allow-from-openshift-ingress Namespace: example1 Created on: 2020-06-09 00:28:17 -0400 EDT Labels: Annotations: Spec: PodSelector: (Allowing the specific traffic to all pods in this namespace) Allowing ingress traffic:

    1. To Port: <any> (traffic allowed to all ports)
    2. From:
    3.   NamespaceSelector: network.openshift.io/policy-group: ingress

    Not affecting egress traffic Policy Types: Ingress

  1. Name:         allow-from-openshift-monitoring
  2. Namespace:    example1
  3. Created on:   2020-06-09 00:29:57 -0400 EDT
  4. Labels:       <none>
  5. Annotations:  <none>
  6. Spec:
  7.   PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  8.   Allowing ingress traffic:
  9.     To Port: <any> (traffic allowed to all ports)
  10.     From:
  11.       NamespaceSelector: network.openshift.io/policy-group: monitoring
  12.   Not affecting egress traffic
  13.   Policy Types: Ingress
  14. ```

Next steps

Additional resources