我的书签
添加书签
移除书签Defining a default network policy for projects
As a cluster administrator, you can modify the new project template to automatically include network policies when you create a new project. If you do not yet have a customized template for new projects, you must first create one.
Modifying the template for new projects
As a cluster administrator, you can modify the default project template so that new projects are created using your custom requirements.
To create your own custom project template:
Procedure
Log in as a user with
cluster-adminprivileges.Generate the default project template:
$ oc adm create-bootstrap-project-template -o yaml > template.yaml
Use a text editor to modify the generated
template.yamlfile by adding objects or modifying existing objects.The project template must be created in the
openshift-confignamespace. Load your modified template:$ oc create -f template.yaml -n openshift-config
Edit the project configuration resource using the web console or CLI.
Using the web console:
Navigate to the Administration → Cluster Settings page.
Click Global Configuration to view all configuration resources.
Find the entry for Project and click Edit YAML.
Using the CLI:
Edit the
project.config.openshift.io/clusterresource:$ oc edit project.config.openshift.io/cluster
Update the
specsection to include theprojectRequestTemplateandnameparameters, and set the name of your uploaded project template. The default name isproject-request.Project configuration resource with custom project template
apiVersion: config.openshift.io/v1kind: Projectmetadata:...spec:projectRequestTemplate:name: <template_name>
After you save your changes, create a new project to verify that your changes were successfully applied.
Adding network policies to the new project template
As a cluster administrator, you can add network policies to the default template for new projects. OKD will automatically create all the NetworkPolicy objects specified in the template in the project.
Prerequisites
Your cluster uses a default CNI network provider that supports
NetworkPolicyobjects, such as the OpenShift SDN network provider withmode: NetworkPolicyset. This mode is the default for OpenShift SDN.You installed the OpenShift CLI (
oc).You must log in to the cluster with a user with
cluster-adminprivileges.You must have created a custom default project template for new projects.
Procedure
Edit the default template for a new project by running the following command:
$ oc edit template <project_template> -n openshift-config
Replace
<project_template>with the name of the default template that you configured for your cluster. The default template name isproject-request.In the template, add each
NetworkPolicyobject as an element to theobjectsparameter. Theobjectsparameter accepts a collection of one or more objects.In the following example, the
objectsparameter collection includes severalNetworkPolicyobjects.For the OVN-Kubernetes network provider plug-in, when the Ingress Controller is configured to use the
HostNetworkendpoint publishing strategy, there is no supported way to apply network policy so that ingress traffic is allowed and all other traffic is denied.objects:- apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: allow-from-same-namespacespec:podSelector:ingress:- from:- podSelector: {}- apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: allow-from-openshift-ingressspec:ingress:- from:- namespaceSelector:matchLabels:network.openshift.io/policy-group: ingresspodSelector: {}policyTypes:- Ingress...
Optional: Create a new project to confirm that your network policy objects are created successfully by running the following commands:
Create a new project:
$ oc new-project <project> (1)
1 Replace <project>with the name for the project you are creating.Confirm that the network policy objects in the new project template exist in the new project:
$ oc get networkpolicyNAME POD-SELECTOR AGEallow-from-openshift-ingress <none> 7sallow-from-same-namespace <none> 7s
