A200161411/cloud-container-engine
1
0
Fork 0
forked from docs/cloud-container-engine
Code Pull Requests Activity
cloud-container-engine/umn/source/namespaces/configuring_a_namespace-level_network_policy.rst

2.7 KiB
Raw Blame History

original_name

cce_10_0286.html

Configuring a Namespace-level Network Policy

You can configure a namespace-level network policy after enabling network isolation.

By default, Network Isolation is disabled for namespaces. For example, if network isolation is off for namespace default, all workloads in the current cluster can access the workloads in namespace default.

To prevent other workloads from accessing the workloads in namespace default, perform the following steps:

Important

  • Only clusters that use the tunnel network model support network policies.

  • Network isolation is not supported for IPv6 addresses.

  • Network policies do not support egress rules except for clusters of v1.23 or later.

    Egress rules are supported only in the following operating systems:

    • EulerOS 2.9: kernel version 4.18.0-147.5.1.6.h541.eulerosv2r9.x86_64
    • CentOS 7.7: kernel version 3.10.0-1062.18.1.el7.x86_64
    • EulerOS 2.5: kernel version 3.10.0-862.14.1.5.h591.eulerosv2r7.x86_64

  • If a cluster is upgraded to v1.23 in in-place mode, you cannot use egress rules because the node OS is not upgraded. In this case, reset the node.

Prerequisites

  • You have created a Kubernetes cluster. For details, see Creating a CCE Cluster <cce_10_0028>.
  • You have created a namespace. For details, see Creating a Namespace <cce_10_0278>.

Procedure

  1. Log in to the CCE console. In the navigation pane, choose Resource Management > Namespaces.

  2. Select the cluster to which the namespace belongs from the Clusters drop-down list.

  3. At the row of a namespace (for example, default), switch on Network Isolation.

    After network isolation is enabled, workloads in namespace default can access each other but they cannot be accessed by workloads in other namespaces.

    Figure 1 Namespace-level network policy

Network Isolation Description

Enabling network isolation is to create a network policy in a namespace. The network policy selects all pods in the namespace and prevents pods in other namespaces from accessing.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
    name: deny-default
    namespace: default
spec:
    ingress:
        - from:
          - podSelector: {}
    podSelector: {}                     # {} indicates that all pods are selected.

You can also customize a network policy. For details, see Network Policies <cce_10_0059>.