Configuring network policies

By default, all Pods in a Kubernetes cluster can communicate with each other even if they are in different namespaces. In the context of Che, this makes it possible for a workspace Pod in one user namespace to send traffic to another workspace Pod in a different user namespace.

For security, multitenant isolation could be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user namespace. However, Pods in the Che namespace must be able to communicate with Pods in user namespaces.

Prerequisites
  • The Kubernetes cluster has network restrictions such as multitenant isolation.

Procedure
  • Apply the allow-from-eclipse-che NetworkPolicy to each user namespace. The allow-from-eclipse-che NetworkPolicy allows incoming traffic from the Che namespace to all Pods in the user namespace.

    Example 1. allow-from-eclipse-che.yaml
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
        name: allow-from-eclipse-che
    spec:
        ingress:
        - from:
            - namespaceSelector:
                matchLabels:
                    kubernetes.io/metadata.name: eclipse-che   (1)
        podSelector: {}   (2)
        policyTypes:
        - Ingress
    1 The Che namespace. The default is eclipse-che.
    2 The empty podSelector selects all Pods in the namespace.
  • OPTIONAL: In case you applied Configuring multitenant isolation with network policy, you also must apply allow-from-openshift-apiserver and allow-from-workspaces-namespaces NetworkPolicies to eclipse-che. The allow-from-openshift-apiserver NetworkPolicy allows incoming traffic from openshift-apiserver namespace to the devworkspace-webhook-server enabling webhooks. The allow-from-workspaces-namespaces NetworkPolicy allows incoming traffic from each user project to che-gateway pod.

    Example 2. allow-from-openshift-apiserver.yaml
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: allow-from-openshift-apiserver
      namespace: eclipse-che   (1)
    spec:
      podSelector:
        matchLabels:
          app.kubernetes.io/name: devworkspace-webhook-server   (2)
      ingress:
        - from:
            - podSelector: {}
              namespaceSelector:
                matchLabels:
                  kubernetes.io/metadata.name: openshift-apiserver
      policyTypes:
        - Ingress
    1 The Che namespace. The default is eclipse-che.
    2 The podSelector only selects devworkspace-webhook-server pods
    Example 3. allow-from-workspaces-namespaces.yaml
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: allow-from-workspaces-namespaces
      namespace: eclipse-che   (1)
    spec:
      podSelector: {}   (2)
      ingress:
        - from:
            - podSelector: {}
              namespaceSelector:
                matchLabels:
                  app.kubernetes.io/component: workspaces-namespace
      policyTypes:
        - Ingress
    1 The Che namespace. The default is eclipse-che.
    2 The empty podSelector selects all pods in the Che namespace.
  • Configuring user namespace provisioning

  • Network isolation

  • Configuring multitenant isolation with network policy