Configuring multi-network policy

As a cluster administrator, you can configure network policy for additional networks.

You can specify multi-network policy for only macvlan additional networks. Other types of additional networks, such as ipvlan, are not supported.

Differences between multi-network policy and network policy

Although the MultiNetworkPolicy API implements the NetworkPolicy API, there are several important differences:

  • You must use the MultiNetworkPolicy API:

    1. apiVersion: k8s.cni.cncf.io/v1beta1
    2. kind: MultiNetworkPolicy
  • You must use the multi-networkpolicy resource name when using the CLI to interact with multi-network policies. For example, you can view a multi-network policy object with the oc get multi-networkpolicy <name> command where <name> is the name of a multi-network policy.

  • You must specify an annotation with the name of the network attachment definition that defines the macvlan additional network:

    1. apiVersion: k8s.cni.cncf.io/v1beta1
    2. kind: MultiNetworkPolicy
    3. metadata:
    4. annotations:
    5. k8s.v1.cni.cncf.io/policy-for: <network_name>

    where:

    <network_name>

    Specifies the name of a network attachment definition.

Enabling multi-network policy for the cluster

As a cluster administrator, you can enable multi-network policy support on your cluster.

Prerequisites

  • Install the OpenShift CLI (oc).

  • Log in to the cluster with a user with cluster-admin privileges.

Procedure

  1. Create the multinetwork-enable-patch.yaml file with the following YAML:

    1. apiVersion: operator.openshift.io/v1
    2. kind: Network
    3. metadata:
    4. name: cluster
    5. spec:
    6. useMultiNetworkPolicy: true
  2. Configure the cluster to enable multi-network policy:

    1. $ oc patch network.operator.openshift.io cluster --type=merge --patch-file=multinetwork-enable-patch.yaml

    Example output

    1. network.operator.openshift.io/cluster patched

Working with multi-network policy

As a cluster administrator, you can create, edit, view, and delete multi-network policies.

Prerequisites

  • You have enabled multi-network policy support for your cluster.

Creating a multi-network policy

To define granular rules describing ingress or egress network traffic allowed for namespaces in your cluster, you can create a multi-network policy.

Prerequisites

  • Your cluster uses a cluster network provider that supports NetworkPolicy objects, such as the OVN-Kubernetes network provider or the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with cluster-admin privileges.

  • You are working in the namespace that the multi-network policy applies to.

Procedure

  1. Create a policy rule:

    1. Create a <policy_name>.yaml file:

      1. $ touch <policy_name>.yaml

      where:

      <policy_name>

      Specifies the multi-network policy file name.

    2. Define a multi-network policy in the file that you just created, such as in the following examples:

      Deny ingress from all pods in all namespaces

      1. apiVersion: k8s.cni.cncf.io/v1beta1
      2. kind: MultiNetworkPolicy
      3. metadata:
      4. name: deny-by-default
      5. annotations:
      6. k8s.v1.cni.cncf.io/policy-for: <network_name>
      7. spec:
      8. podSelector:
      9. ingress: []

      where

      <network_name>

      Specifies the name of a network attachment definition.

      Allow ingress from all pods in the same namespace

      1. apiVersion: k8s.cni.cncf.io/v1beta1
      2. kind: MultiNetworkPolicy
      3. metadata:
      4. name: allow-same-namespace
      5. annotations:
      6. k8s.v1.cni.cncf.io/policy-for: <network_name>
      7. spec:
      8. podSelector:
      9. ingress:
      10. - from:
      11. - podSelector: {}

      where

      <network_name>

      Specifies the name of a network attachment definition.

  2. To create the multi-network policy object, enter the following command:

    1. $ oc apply -f <policy_name>.yaml -n <namespace>

    where:

    <policy_name>

    Specifies the multi-network policy file name.

    <namespace>

    Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

    Example output

    1. multinetworkpolicy.k8s.cni.cncf.io/default-deny created

Editing a multi-network policy

You can edit a multi-network policy in a namespace.

Prerequisites

  • Your cluster uses a cluster network provider that supports NetworkPolicy objects, such as the OVN-Kubernetes network provider or the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with cluster-admin privileges.

  • You are working in the namespace where the multi-network policy exists.

Procedure

  1. Optional: To list the multi-network policy objects in a namespace, enter the following command:

    1. $ oc get multi-networkpolicy

    where:

    <namespace>

    Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

  2. Edit the multi-network policy object.

    • If you saved the multi-network policy definition in a file, edit the file and make any necessary changes, and then enter the following command.

      1. $ oc apply -n <namespace> -f <policy_file>.yaml

      where:

      <namespace>

      Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

      <policy_file>

      Specifies the name of the file containing the network policy.

    • If you need to update the multi-network policy object directly, enter the following command:

      1. $ oc edit multi-networkpolicy <policy_name> -n <namespace>

      where:

      <policy_name>

      Specifies the name of the network policy.

      <namespace>

      Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

  3. Confirm that the multi-network policy object is updated.

    1. $ oc describe multi-networkpolicy <policy_name> -n <namespace>

    where:

    <policy_name>

    Specifies the name of the multi-network policy.

    <namespace>

    Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

Viewing multi-network policies

You can examine the multi-network policies in a namespace.

Prerequisites

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with cluster-admin privileges.

  • You are working in the namespace where the multi-network policy exists.

Procedure

  • List multi-network policies in a namespace:

    • To view multi-network policy objects defined in a namespace, enter the following command:

      1. $ oc get multi-networkpolicy
    • Optional: To examine a specific multi-network policy, enter the following command:

      1. $ oc describe multi-networkpolicy <policy_name> -n <namespace>

      where:

      <policy_name>

      Specifies the name of the multi-network policy to inspect.

      <namespace>

      Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

Deleting a multi-network policy

You can delete a multi-network policy in a namespace.

Prerequisites

  • Your cluster uses a cluster network provider that supports NetworkPolicy objects, such as the OVN-Kubernetes network provider or the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with cluster-admin privileges.

  • You are working in the namespace where the multi-network policy exists.

Procedure

  • To delete a multi-network policy object, enter the following command:

    1. $ oc delete multi-networkpolicy <policy_name> -n <namespace>

    where:

    <policy_name>

    Specifies the name of the multi-network policy.

    <namespace>

    Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

    Example output

    1. multinetworkpolicy.k8s.cni.cncf.io/default-deny deleted

Additional resources