Configuring network policies

By default, all Pods in a Kubernetes cluster can communicate with each other even if they are in different namespaces. In the context of Che, this makes it possible for a workspace Pod in one user namespace to send traffic to another workspace Pod in a different user namespace.

For security, multitenant isolation could be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user namespace. However, Pods in the Che namespace must be able to communicate with Pods in user namespaces.

Prerequisites

  • The Kubernetes cluster has network restrictions such as multitenant isolation.

Procedure

  • Apply the allow-from-eclipse-che NetworkPolicy to each user namespace. The allow-from-eclipse-che NetworkPolicy allows incoming traffic from the Che namespace to all Pods in the user namespace.

    Example 1. allow-from-eclipse-che.yaml
    apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
    name: allow-from-eclipse-che
spec:
    ingress:
    - from:
        - namespaceSelector:
            matchLabels:
                kubernetes.io/metadata.name: eclipse-che   (1)
    podSelector: {}   (2)
    policyTypes:
    - Ingress
    1 The Che namespace. The default is eclipse-che.
    2 The empty podSelector selects all Pods in the namespace.

  • OPTIONAL: In case you applied Configuring multitenant isolation with network policy, you also must apply allow-from-openshift-apiserver and allow-from-workspaces-namespaces NetworkPolicies to eclipse-che. The allow-from-openshift-apiserver NetworkPolicy allows incoming traffic from openshift-apiserver namespace to the devworkspace-webhook-server enabling webhooks. The allow-from-workspaces-namespaces NetworkPolicy allows incoming traffic from each user project to che-gateway pod.

    Example 2. allow-from-openshift-apiserver.yaml
    apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-apiserver
  namespace: eclipse-che   (1)
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: devworkspace-webhook-server   (2)
  ingress:
    - from:
        - podSelector: {}
          namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: openshift-apiserver
  policyTypes:
    - Ingress
    1 The Che namespace. The default is eclipse-che.
    2 The podSelector only selects devworkspace-webhook-server pods
    Example 3. allow-from-workspaces-namespaces.yaml
    apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-workspaces-namespaces
  namespace: eclipse-che   (1)
spec:
  podSelector: {}   (2)
  ingress:
    - from:
        - podSelector: {}
          namespaceSelector:
            matchLabels:
              app.kubernetes.io/component: workspaces-namespace
  policyTypes:
    - Ingress
    1 The Che namespace. The default is eclipse-che.
    2 The empty podSelector selects all pods in the Che namespace.

  • Configuring user namespace provisioning

  • Network isolation

  • Configuring multitenant isolation with network policy