Bug 1656374 - [DOCS] Security hardening for default Openshift namespaces using NetworkPolicy SDN plugin
Summary: [DOCS] Security hardening for default Openshift namespaces using NetworkPolic...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Andrew Taylor
QA Contact: Meng Bo
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-05 11:15 UTC by Ravi Trivedi
Modified: 2019-04-16 13:48 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-16 13:48:20 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Ravi Trivedi 2018-12-05 11:15:47 UTC
Document URL: 
https://docs.openshift.com/container-platform/3.10/install_config/configuring_sdn.html

Section Number and Name: 

Configuring Clusters - Configuring the SDN - Migrating Between SDN Plug-ins - Migrating from ovs-multitenant to ovs-networkpolicy

Describe the issue: 

Need elaboration on the security hardening pertaining to NetworkPolicy SDN plugin. The referenced case 02264638 is an example where the customer wanted clarity on security hardening over NetworkPolicy SDN plugin.

Suggestions for improvement: 

We can add a note in documentation conveying that for the default Openshift projects, we require the pods to communicate with other pods from other projects and vice versa. Hence, user should not indulge in the default functionality for the pods in default project. In order to have such default networkpolicies set for Openshift projects (default, openshift-sdn etc.), we would require Egress functionality as well which is not available yet and it all needs to be tested by Engineering first. 

While for the user created projects, the end user can manage the networkpolicies separately.

Additional information: 

The main concern of customer is security hardening for default Openshift projects. This is where they intended to create custom networkpolicies to control traffic between application projects and default Openshift projects. Currently, they should not be dealing with it as it might affect the cluster adversely.

Comment 6 Andrew Taylor 2019-03-21 15:05:29 UTC
Hello,

Thank you for bringing this bug to our attention. I have found a note in other parts of our documentation that describe what Ravi was requesting: 

"Only the v1 NetworkPolicy features are available in OpenShift Container Platform. This means that egress policy types, IPBlock, and combining podSelector and namespaceSelector are not available in OpenShift Container Platform."


https://docs.openshift.com/container-platform/3.10/admin_guide/managing_networking.html#admin-guide-networking-networkpolicy


I will add this to 3.6+ with QA's approval. Bo Meng, Please take a look at the PR:

https://github.com/openshift/openshift-docs/pull/14198

Thanks,
Andrew

Comment 7 Meng Bo 2019-03-29 03:19:35 UTC
The change looks good to me.

Comment 14 Wei Sun 2019-04-10 03:09:18 UTC
Please help check if it could be verified.

Comment 15 Meng Bo 2019-04-10 05:51:44 UTC
Changes are merged.

Comment 17 Andrew Taylor 2019-04-11 15:59:45 UTC
Changes have been merged to 3.7+ . I originally was planning to cherrypick to 3.6, however it seems NetworkPolicy was tech preview for that release. Setting release pending.

Comment 18 Andrew Taylor 2019-04-16 13:48:20 UTC
Hello,

These changes are now live in 3.7+ . As this bug was filed against 3.10 I've provided the URL below: 

https://docs.openshift.com/container-platform/3.10/install_config/configuring_sdn.html


I will now file this bug as closed/current release.

Thanks,
Andrew


Note You need to log in before you can comment on or make changes to this bug.