Configuring network policies

By default, all Pods in a Kubernetes cluster can communicate with each other even if they are in different namespaces. In the context of Che, this makes it possible for a workspace Pod in one user namespace to send traffic to another workspace Pod in a different user namespace.

For security, multitenant isolation could be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user namespace. However, Pods in the Che namespace must be able to communicate with Pods in user namespaces.

Prerequisites

  • The Kubernetes cluster has network restrictions such as multitenant isolation.

Procedure

  • Apply the allow-from-eclipse-che NetworkPolicy to each user namespace. The allow-from-eclipse-che NetworkPolicy allows incoming traffic from the Che namespace to all Pods in the user namespace.

    Example 1. allow-from-eclipse-che.yaml
    apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
    name: allow-from-eclipse-che
spec:
    ingress:
    - from:
        - namespaceSelector:
            matchLabels:
                kubernetes.io/metadata.name: eclipse-che   (1)
    podSelector: {}   (2)
    policyTypes:
    - Ingress
    1 The Che namespace. The default is eclipse-che.
    2 The empty podSelector selects all Pods in the namespace.
Additional resources