From 894c52ebe065453be3063e87f2c2108ef90fb2bd Mon Sep 17 00:00:00 2001 From: dkwon17 Date: Fri, 26 Aug 2022 16:21:45 +0000 Subject: [PATCH 01/12] feat: add documentation about required network policy for multitentant isolation Signed-off-by: dkwon17 --- modules/administration-guide/nav.adoc | 1 + .../pages/configuring-network-policies.adoc | 48 +++++++++++++++++++ .../pages/configuring-networking.adoc | 1 + .../snip_configuring-network-policies.adoc | 1 + 4 files changed, 51 insertions(+) create mode 100644 modules/administration-guide/pages/configuring-network-policies.adoc create mode 100644 modules/administration-guide/partials/snip_configuring-network-policies.adoc diff --git a/modules/administration-guide/nav.adoc b/modules/administration-guide/nav.adoc index a8fd1d0132..41a04d3eb2 100644 --- a/modules/administration-guide/nav.adoc +++ b/modules/administration-guide/nav.adoc @@ -54,6 +54,7 @@ **** xref:monitoring-the-dev-workspace-operator.adoc[] **** xref:monitoring-che.adoc[] ** xref:configuring-networking.adoc[] +*** xref:configuring-network-policies.adoc[] *** xref:configuring-che-hostname.adoc[] *** xref:importing-untrusted-tls-certificates.adoc[] *** xref:configuring-ingresses.adoc[] diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc new file mode 100644 index 0000000000..260447852b --- /dev/null +++ b/modules/administration-guide/pages/configuring-network-policies.adoc @@ -0,0 +1,48 @@ +:_content-type: CONCEPT +:description: Configuring network policies +:keywords: administration guide, configuring, namespace, network policy, network policies, multitenant isolation +:navtitle: Configuring network policies +:page-aliases: installation-guide:configuring-network-policies.adoc + +[id="configuring-networking-policies_{context}"] += Configuring network policies + +By default all Pods in a {orch-name} cluster can communicate with each other even if they are in different namespaces. +In the context of {prod-short}, this makes it possible for a workspace Pod from one user {orch-namespace} to send traffic to another workspace Pod from a different user {orch-namespace}. + +For security, multitenant isolation can be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user {orch-namespace}. +However for {prod-short}, it is necessary for Pods in the {prod-short} {orch-namespace} to be able to communicate with Pods in {orch-namespace}s. + +For a {prod-short} installation with network restrictions such as multitenant isolation configured, the `allow-from-eclipse-che.yaml` NetworkPolicy must be applied to each user {orch-namespace}. + +The `allow-from-eclipse-che` NetworkPolicy allows incoming traffic from the {prod-short} namespace to all Pods in the user {orch-namespace}. + +.`allow-from-eclipse-che.yaml` +==== +[source,yaml,subs="+quotes,attributes"] +---- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-from-eclipse-che +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {prod-namespace} <1> + podSelector: {} <2> + policyTypes: + - Ingress +---- +==== +<1> The {prod-short} namespace. The default is `{prod-namespace}`. +<2> The empty podSelector selects all Pods in the {orch-namespace}. + +.Additional resources + +* xref:configuring-namespace-provisioning.adoc[] + +* link:https://kubernetes.io/docs/concepts/security/multi-tenancy/#network-isolation[Network isolation] + +include::partial$snip_configuring-network-policies.adoc[] diff --git a/modules/administration-guide/pages/configuring-networking.adoc b/modules/administration-guide/pages/configuring-networking.adoc index 12ab72243d..e2fd39807f 100644 --- a/modules/administration-guide/pages/configuring-networking.adoc +++ b/modules/administration-guide/pages/configuring-networking.adoc @@ -7,6 +7,7 @@ [id="configuring-networking_{context}"] = Configuring networking +* xref:configuring-network-policies.adoc[] * xref:configuring-che-hostname.adoc[] * xref:importing-untrusted-tls-certificates.adoc[] * xref:configuring-ingresses.adoc[] diff --git a/modules/administration-guide/partials/snip_configuring-network-policies.adoc b/modules/administration-guide/partials/snip_configuring-network-policies.adoc new file mode 100644 index 0000000000..14b211a19e --- /dev/null +++ b/modules/administration-guide/partials/snip_configuring-network-policies.adoc @@ -0,0 +1 @@ +* link:https://docs.openshift.com/container-platform/{ocp4-ver}/networking/network_policy/multitenant-network-policy.html[Configuring multitenant isolation with network policy] From 249a760387ad6945d09a4287b6fab05108d706c3 Mon Sep 17 00:00:00 2001 From: David Kwon Date: Thu, 1 Sep 2022 09:28:40 -0400 Subject: [PATCH 02/12] Update modules/administration-guide/pages/configuring-network-policies.adoc Co-authored-by: Max Leonov --- .../pages/configuring-network-policies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc index 260447852b..d5d7cace06 100644 --- a/modules/administration-guide/pages/configuring-network-policies.adoc +++ b/modules/administration-guide/pages/configuring-network-policies.adoc @@ -7,7 +7,7 @@ [id="configuring-networking-policies_{context}"] = Configuring network policies -By default all Pods in a {orch-name} cluster can communicate with each other even if they are in different namespaces. +By default, all Pods in a {orch-name} cluster can communicate with each other even if they are in different namespaces. In the context of {prod-short}, this makes it possible for a workspace Pod from one user {orch-namespace} to send traffic to another workspace Pod from a different user {orch-namespace}. For security, multitenant isolation can be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user {orch-namespace}. From 064d3ad3fc78f60f73e755f380de77fa4c7cae9b Mon Sep 17 00:00:00 2001 From: David Kwon Date: Thu, 1 Sep 2022 09:28:48 -0400 Subject: [PATCH 03/12] Update modules/administration-guide/pages/configuring-network-policies.adoc Co-authored-by: Max Leonov --- .../pages/configuring-network-policies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc index d5d7cace06..dc9060617c 100644 --- a/modules/administration-guide/pages/configuring-network-policies.adoc +++ b/modules/administration-guide/pages/configuring-network-policies.adoc @@ -8,7 +8,7 @@ = Configuring network policies By default, all Pods in a {orch-name} cluster can communicate with each other even if they are in different namespaces. -In the context of {prod-short}, this makes it possible for a workspace Pod from one user {orch-namespace} to send traffic to another workspace Pod from a different user {orch-namespace}. +In the context of {prod-short}, this makes it possible for a workspace Pod in one user {orch-namespace} to send traffic to another workspace Pod in a different user {orch-namespace}. For security, multitenant isolation can be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user {orch-namespace}. However for {prod-short}, it is necessary for Pods in the {prod-short} {orch-namespace} to be able to communicate with Pods in {orch-namespace}s. From 1795c2693cd1089532daaad4dc241e447298a2cf Mon Sep 17 00:00:00 2001 From: David Kwon Date: Thu, 1 Sep 2022 09:28:54 -0400 Subject: [PATCH 04/12] Update modules/administration-guide/pages/configuring-network-policies.adoc Co-authored-by: Max Leonov --- .../pages/configuring-network-policies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc index dc9060617c..4868c17c46 100644 --- a/modules/administration-guide/pages/configuring-network-policies.adoc +++ b/modules/administration-guide/pages/configuring-network-policies.adoc @@ -10,7 +10,7 @@ By default, all Pods in a {orch-name} cluster can communicate with each other even if they are in different namespaces. In the context of {prod-short}, this makes it possible for a workspace Pod in one user {orch-namespace} to send traffic to another workspace Pod in a different user {orch-namespace}. -For security, multitenant isolation can be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user {orch-namespace}. +For security, multitenant isolation could be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user {orch-namespace}. However for {prod-short}, it is necessary for Pods in the {prod-short} {orch-namespace} to be able to communicate with Pods in {orch-namespace}s. For a {prod-short} installation with network restrictions such as multitenant isolation configured, the `allow-from-eclipse-che.yaml` NetworkPolicy must be applied to each user {orch-namespace}. From 8d62acd9ec670cf1c1181db559198f994939f26d Mon Sep 17 00:00:00 2001 From: David Kwon Date: Thu, 1 Sep 2022 09:30:05 -0400 Subject: [PATCH 05/12] Update modules/administration-guide/pages/configuring-network-policies.adoc Co-authored-by: Max Leonov --- .../pages/configuring-network-policies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc index 4868c17c46..e4246a4196 100644 --- a/modules/administration-guide/pages/configuring-network-policies.adoc +++ b/modules/administration-guide/pages/configuring-network-policies.adoc @@ -11,7 +11,7 @@ By default, all Pods in a {orch-name} cluster can communicate with each other ev In the context of {prod-short}, this makes it possible for a workspace Pod in one user {orch-namespace} to send traffic to another workspace Pod in a different user {orch-namespace}. For security, multitenant isolation could be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user {orch-namespace}. -However for {prod-short}, it is necessary for Pods in the {prod-short} {orch-namespace} to be able to communicate with Pods in {orch-namespace}s. +However, Pods in the {prod-short} {orch-namespace} must be able to communicate with Pods in {orch-namespace}s. For a {prod-short} installation with network restrictions such as multitenant isolation configured, the `allow-from-eclipse-che.yaml` NetworkPolicy must be applied to each user {orch-namespace}. From 31949c943340e0358f275375827e74f3b74988fe Mon Sep 17 00:00:00 2001 From: David Kwon Date: Thu, 1 Sep 2022 09:31:06 -0400 Subject: [PATCH 06/12] Update modules/administration-guide/pages/configuring-network-policies.adoc Co-authored-by: Max Leonov --- .../pages/configuring-network-policies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc index e4246a4196..5100fa463d 100644 --- a/modules/administration-guide/pages/configuring-network-policies.adoc +++ b/modules/administration-guide/pages/configuring-network-policies.adoc @@ -45,4 +45,4 @@ spec: * link:https://kubernetes.io/docs/concepts/security/multi-tenancy/#network-isolation[Network isolation] -include::partial$snip_configuring-network-policies.adoc[] +* link:https://docs.openshift.com/container-platform/{ocp4-ver}/networking/network_policy/multitenant-network-policy.html[Configuring multitenant isolation with network policy] From 9bf0226987a48248d8ade866f0ddc5245daa27d2 Mon Sep 17 00:00:00 2001 From: dkwon17 Date: Thu, 1 Sep 2022 15:06:37 +0000 Subject: [PATCH 07/12] Remove snip, specify user namespace Signed-off-by: dkwon17 --- .../pages/configuring-network-policies.adoc | 2 +- .../partials/snip_configuring-network-policies.adoc | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 modules/administration-guide/partials/snip_configuring-network-policies.adoc diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc index 5100fa463d..d7870b1fc7 100644 --- a/modules/administration-guide/pages/configuring-network-policies.adoc +++ b/modules/administration-guide/pages/configuring-network-policies.adoc @@ -11,7 +11,7 @@ By default, all Pods in a {orch-name} cluster can communicate with each other ev In the context of {prod-short}, this makes it possible for a workspace Pod in one user {orch-namespace} to send traffic to another workspace Pod in a different user {orch-namespace}. For security, multitenant isolation could be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user {orch-namespace}. -However, Pods in the {prod-short} {orch-namespace} must be able to communicate with Pods in {orch-namespace}s. +However, Pods in the {prod-short} {orch-namespace} must be able to communicate with Pods in user {orch-namespace}s. For a {prod-short} installation with network restrictions such as multitenant isolation configured, the `allow-from-eclipse-che.yaml` NetworkPolicy must be applied to each user {orch-namespace}. diff --git a/modules/administration-guide/partials/snip_configuring-network-policies.adoc b/modules/administration-guide/partials/snip_configuring-network-policies.adoc deleted file mode 100644 index 14b211a19e..0000000000 --- a/modules/administration-guide/partials/snip_configuring-network-policies.adoc +++ /dev/null @@ -1 +0,0 @@ -* link:https://docs.openshift.com/container-platform/{ocp4-ver}/networking/network_policy/multitenant-network-policy.html[Configuring multitenant isolation with network policy] From 1a9b332be50c1d785cb1c7ecd81d009b93b1ca2b Mon Sep 17 00:00:00 2001 From: Max Leonov Date: Thu, 1 Sep 2022 17:15:05 +0200 Subject: [PATCH 08/12] Update modules/administration-guide/pages/configuring-network-policies.adoc Co-authored-by: David Kwon --- .../pages/configuring-network-policies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc index d7870b1fc7..237f209d37 100644 --- a/modules/administration-guide/pages/configuring-network-policies.adoc +++ b/modules/administration-guide/pages/configuring-network-policies.adoc @@ -13,7 +13,7 @@ In the context of {prod-short}, this makes it possible for a workspace Pod in on For security, multitenant isolation could be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user {orch-namespace}. However, Pods in the {prod-short} {orch-namespace} must be able to communicate with Pods in user {orch-namespace}s. -For a {prod-short} installation with network restrictions such as multitenant isolation configured, the `allow-from-eclipse-che.yaml` NetworkPolicy must be applied to each user {orch-namespace}. +For a cluster with network restrictions such as multitenant isolation already configured, you must apply the `allow-from-eclipse-che.yaml` NetworkPolicy to each user {orch-namespace}. The `allow-from-eclipse-che` NetworkPolicy allows incoming traffic from the {prod-short} namespace to all Pods in the user {orch-namespace}. The `allow-from-eclipse-che` NetworkPolicy allows incoming traffic from the {prod-short} namespace to all Pods in the user {orch-namespace}. From 77268d072ef05a4cd4977c8688276d5728512153 Mon Sep 17 00:00:00 2001 From: Max Leonov Date: Thu, 1 Sep 2022 17:15:33 +0200 Subject: [PATCH 09/12] Update modules/administration-guide/pages/configuring-network-policies.adoc --- .../administration-guide/pages/configuring-network-policies.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc index 237f209d37..c4e5bc4f64 100644 --- a/modules/administration-guide/pages/configuring-network-policies.adoc +++ b/modules/administration-guide/pages/configuring-network-policies.adoc @@ -15,7 +15,6 @@ However, Pods in the {prod-short} {orch-namespace} must be able to communicate w For a cluster with network restrictions such as multitenant isolation already configured, you must apply the `allow-from-eclipse-che.yaml` NetworkPolicy to each user {orch-namespace}. The `allow-from-eclipse-che` NetworkPolicy allows incoming traffic from the {prod-short} namespace to all Pods in the user {orch-namespace}. -The `allow-from-eclipse-che` NetworkPolicy allows incoming traffic from the {prod-short} namespace to all Pods in the user {orch-namespace}. .`allow-from-eclipse-che.yaml` ==== From 1c930146f41f161c0c63441778734319eaaa90a6 Mon Sep 17 00:00:00 2001 From: David Kwon Date: Thu, 1 Sep 2022 11:33:30 -0400 Subject: [PATCH 10/12] Update modules/administration-guide/pages/configuring-network-policies.adoc Co-authored-by: Max Leonov --- .../pages/configuring-network-policies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc index c4e5bc4f64..460d149d93 100644 --- a/modules/administration-guide/pages/configuring-network-policies.adoc +++ b/modules/administration-guide/pages/configuring-network-policies.adoc @@ -36,7 +36,7 @@ spec: ---- ==== <1> The {prod-short} namespace. The default is `{prod-namespace}`. -<2> The empty podSelector selects all Pods in the {orch-namespace}. +<2> The empty `podSelector` selects all Pods in the {orch-namespace}. .Additional resources From f19fad6476cdfc119a75f325b3281cdffc78e31d Mon Sep 17 00:00:00 2001 From: dkwon17 Date: Thu, 1 Sep 2022 15:34:30 +0000 Subject: [PATCH 11/12] Remove .yaml when referencing the network policy Signed-off-by: dkwon17 --- .../pages/configuring-network-policies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc index 460d149d93..dd8706c930 100644 --- a/modules/administration-guide/pages/configuring-network-policies.adoc +++ b/modules/administration-guide/pages/configuring-network-policies.adoc @@ -13,7 +13,7 @@ In the context of {prod-short}, this makes it possible for a workspace Pod in on For security, multitenant isolation could be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user {orch-namespace}. However, Pods in the {prod-short} {orch-namespace} must be able to communicate with Pods in user {orch-namespace}s. -For a cluster with network restrictions such as multitenant isolation already configured, you must apply the `allow-from-eclipse-che.yaml` NetworkPolicy to each user {orch-namespace}. The `allow-from-eclipse-che` NetworkPolicy allows incoming traffic from the {prod-short} namespace to all Pods in the user {orch-namespace}. +For a cluster with network restrictions such as multitenant isolation already configured, you must apply the `allow-from-eclipse-che` NetworkPolicy to each user {orch-namespace}. The `allow-from-eclipse-che` NetworkPolicy allows incoming traffic from the {prod-short} namespace to all Pods in the user {orch-namespace}. .`allow-from-eclipse-che.yaml` From fd6ae96b70d3bf0c4e205090ed77a6ff47564451 Mon Sep 17 00:00:00 2001 From: dkwon17 Date: Thu, 1 Sep 2022 15:48:08 +0000 Subject: [PATCH 12/12] Replace eclipse-che in network policy name to {prod-namespace} Signed-off-by: dkwon17 --- .../pages/configuring-network-policies.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc index dd8706c930..cc6db6f47a 100644 --- a/modules/administration-guide/pages/configuring-network-policies.adoc +++ b/modules/administration-guide/pages/configuring-network-policies.adoc @@ -13,17 +13,17 @@ In the context of {prod-short}, this makes it possible for a workspace Pod in on For security, multitenant isolation could be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user {orch-namespace}. However, Pods in the {prod-short} {orch-namespace} must be able to communicate with Pods in user {orch-namespace}s. -For a cluster with network restrictions such as multitenant isolation already configured, you must apply the `allow-from-eclipse-che` NetworkPolicy to each user {orch-namespace}. The `allow-from-eclipse-che` NetworkPolicy allows incoming traffic from the {prod-short} namespace to all Pods in the user {orch-namespace}. +For a cluster with network restrictions such as multitenant isolation already configured, you must apply the `allow-from-{prod-namespace}` NetworkPolicy to each user {orch-namespace}. The `allow-from-{prod-namespace}` NetworkPolicy allows incoming traffic from the {prod-short} namespace to all Pods in the user {orch-namespace}. -.`allow-from-eclipse-che.yaml` +.`allow-from-{prod-namespace}.yaml` ==== [source,yaml,subs="+quotes,attributes"] ---- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-from-eclipse-che + name: allow-from-{prod-namespace} spec: ingress: - from: