Defining a default network policy for projects

As a cluster administrator, you can modify the new project template to automatically include network policies when you create a new project. If you do not yet have a customized template for new projects, you must first create one.

Modifying the template for new projects

As a cluster administrator, you can modify the default project template so that new projects are created using your custom requirements.

To create your own custom project template:

Procedure

  1. Log in as a user with cluster-admin privileges.

  2. Generate the default project template:

    1. $ oc adm create-bootstrap-project-template -o yaml > template.yaml
  3. Use a text editor to modify the generated template.yaml file by adding objects or modifying existing objects.

  4. The project template must be created in the openshift-config namespace. Load your modified template:

    1. $ oc create -f template.yaml -n openshift-config
  5. Edit the project configuration resource using the web console or CLI.

    • Using the web console:

      1. Navigate to the AdministrationCluster Settings page.

      2. Click Configuration to view all configuration resources.

      3. Find the entry for Project and click Edit YAML.

    • Using the CLI:

      1. Edit the project.config.openshift.io/cluster resource:

        1. $ oc edit project.config.openshift.io/cluster
  1. Update the spec section to include the projectRequestTemplate and name parameters, and set the name of your uploaded project template. The default name is project-request.

    Project configuration resource with custom project template

    1. apiVersion: config.openshift.io/v1
    2. kind: Project
    3. metadata:
    4. ...
    5. spec:
    6. projectRequestTemplate:
    7. name: <template_name>
  2. After you save your changes, create a new project to verify that your changes were successfully applied.

Adding network policies to the new project template

As a cluster administrator, you can add network policies to the default template for new projects. OKD will automatically create all the NetworkPolicy objects specified in the template in the project.

Prerequisites

  • Your cluster uses a default CNI network provider that supports NetworkPolicy objects, such as the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

  • You installed the OpenShift CLI (oc).

  • You must log in to the cluster with a user with cluster-admin privileges.

  • You must have created a custom default project template for new projects.

Procedure

  1. Edit the default template for a new project by running the following command:

    1. $ oc edit template <project_template> -n openshift-config

    Replace <project_template> with the name of the default template that you configured for your cluster. The default template name is project-request.

  2. In the template, add each NetworkPolicy object as an element to the objects parameter. The objects parameter accepts a collection of one or more objects.

    In the following example, the objects parameter collection includes several NetworkPolicy objects.

    1. objects:
    2. - apiVersion: networking.k8s.io/v1
    3. kind: NetworkPolicy
    4. metadata:
    5. name: allow-from-same-namespace
    6. spec:
    7. podSelector: {}
    8. ingress:
    9. - from:
    10. - podSelector: {}
    11. - apiVersion: networking.k8s.io/v1
    12. kind: NetworkPolicy
    13. metadata:
    14. name: allow-from-openshift-ingress
    15. spec:
    16. ingress:
    17. - from:
    18. - namespaceSelector:
    19. matchLabels:
    20. network.openshift.io/policy-group: ingress
    21. podSelector: {}
    22. policyTypes:
    23. - Ingress
    24. - apiVersion: networking.k8s.io/v1
    25. kind: NetworkPolicy
    26. metadata:
    27. name: allow-from-kube-apiserver-operator
    28. spec:
    29. ingress:
    30. - from:
    31. - namespaceSelector:
    32. matchLabels:
    33. kubernetes.io/metadata.name: openshift-kube-apiserver-operator
    34. podSelector:
    35. matchLabels:
    36. app: kube-apiserver-operator
    37. policyTypes:
    38. - Ingress
    39. ...
  3. Optional: Create a new project to confirm that your network policy objects are created successfully by running the following commands:

    1. Create a new project:

      1. $ oc new-project <project> (1)
      1Replace <project> with the name for the project you are creating.
    2. Confirm that the network policy objects in the new project template exist in the new project:

      1. $ oc get networkpolicy
      2. NAME POD-SELECTOR AGE
      3. allow-from-openshift-ingress <none> 7s
      4. allow-from-same-namespace <none> 7s