Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1656374

Summary: [DOCS] Security hardening for default Openshift namespaces using NetworkPolicy SDN plugin
Product: OpenShift Container Platform Reporter: Ravi Trivedi <travi>
Component: DocumentationAssignee: Andrew Taylor <antaylor>
Status: CLOSED CURRENTRELEASE QA Contact: Meng Bo <bmeng>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 3.10.0CC: antaylor, aos-bugs, bmeng, csekar, jokerman, mmccomas, vigoyal, wsun
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-16 13:48:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ravi Trivedi 2018-12-05 11:15:47 UTC 
Document URL: 
https://docs.openshift.com/container-platform/3.10/install_config/configuring_sdn.html

Section Number and Name: 

Configuring Clusters - Configuring the SDN - Migrating Between SDN Plug-ins - Migrating from ovs-multitenant to ovs-networkpolicy

Describe the issue: 

Need elaboration on the security hardening pertaining to NetworkPolicy SDN plugin. The referenced case 02264638 is an example where the customer wanted clarity on security hardening over NetworkPolicy SDN plugin.

Suggestions for improvement: 

We can add a note in documentation conveying that for the default Openshift projects, we require the pods to communicate with other pods from other projects and vice versa. Hence, user should not indulge in the default functionality for the pods in default project. In order to have such default networkpolicies set for Openshift projects (default, openshift-sdn etc.), we would require Egress functionality as well which is not available yet and it all needs to be tested by Engineering first. 

While for the user created projects, the end user can manage the networkpolicies separately.

Additional information: 

The main concern of customer is security hardening for default Openshift projects. This is where they intended to create custom networkpolicies to control traffic between application projects and default Openshift projects. Currently, they should not be dealing with it as it might affect the cluster adversely.
Comment 6 Andrew Taylor 2019-03-21 15:05:29 UTC 
Hello,

Thank you for bringing this bug to our attention. I have found a note in other parts of our documentation that describe what Ravi was requesting: 

"Only the v1 NetworkPolicy features are available in OpenShift Container Platform. This means that egress policy types, IPBlock, and combining podSelector and namespaceSelector are not available in OpenShift Container Platform."


https://docs.openshift.com/container-platform/3.10/admin_guide/managing_networking.html#admin-guide-networking-networkpolicy


I will add this to 3.6+ with QA's approval. Bo Meng, Please take a look at the PR:

https://github.com/openshift/openshift-docs/pull/14198

Thanks,
Andrew
Comment 7 Meng Bo 2019-03-29 03:19:35 UTC 
The change looks good to me.
Comment 14 Wei Sun 2019-04-10 03:09:18 UTC 
Please help check if it could be verified.
Comment 15 Meng Bo 2019-04-10 05:51:44 UTC 
Changes are merged.
Comment 17 Andrew Taylor 2019-04-11 15:59:45 UTC 
Changes have been merged to 3.7+ . I originally was planning to cherrypick to 3.6, however it seems NetworkPolicy was tech preview for that release. Setting release pending.
Comment 18 Andrew Taylor 2019-04-16 13:48:20 UTC 
Hello,

These changes are now live in 3.7+ . As this bug was filed against 3.10 I've provided the URL below: 

https://docs.openshift.com/container-platform/3.10/install_config/configuring_sdn.html


I will now file this bug as closed/current release.

Thanks,
Andrew