You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/modules/ROOT/pages/network/network-policies.adoc
+10-3Lines changed: 10 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -64,12 +64,13 @@ To summarize, Kubernetes network policies have the following properties:
64
64
65
65
VSHN Managed OpenShift deploys default network policies in each namespace which isolate namespaces from each other.
66
66
The default network policies are managed actively and not intended to be modified by users.
67
+
The managed policies are organized into policy sets which can be enabled and disabled individually.
67
68
68
69
By default the following policies are deployed:
69
70
70
-
`NetworkPolicy/allow-from-other-namespaces`:: Allows incoming traffic from the monitoring stack, cluster ingress controllers, and pods with `hostNetwork: true`.
71
-
`NetworkPolicy/allow-from-same-namespace`:: Allows unrestricted traffic within the same namespace.
72
-
`CiliumNetworkPolicy/allow-from-cluster-nodes`:: Allows traffic from the cluster's nodes.
71
+
`NetworkPolicy/syn-internal-set-base`:: Allows incoming traffic from the monitoring stack, cluster ingress controllers, and pods with `hostNetwork: true`.
72
+
`NetworkPolicy/syn-set-default-allow-intra-namespace`:: Allows unrestricted traffic within the same namespace.
73
+
`CiliumNetworkPolicy/syn-internal-set-base`:: Allows traffic from the cluster's nodes.
73
74
74
75
Any other traffic (in particular traffic from arbitrary other namespaces) is denied by the default policies.
75
76
Because policies are additive, you can easily allow additional traffic by deploying additional `NetworkPolicy` objects in a namespace.
@@ -88,6 +89,12 @@ Once that label is set on a namespace, changes or deletions of the default polic
88
89
When setting the label, the user becomes responsible to ensure that cluster components such as the ingress controller or the monitoring stack are allowed to access workloads if desired.
89
90
====
90
91
92
+
[TIP]
93
+
====
94
+
For advanced use cases on VSHN Managed OpenShift, we can deploy additional policy sets on user request.
95
+
Please contact us if you're interested in using additional policy sets on your clusters.
96
+
====
97
+
91
98
== Additional resources
92
99
93
100
The Kubernetes documentation on https://kubernetes.io/docs/concepts/services-networking/network-policies/[network policies] is a valuable resource.
0 commit comments