apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
As a cluster administrator, you can configure network policy for additional networks.
You can specify multi-network policy for only macvlan additional networks. Other types of additional networks, such as ipvlan, are not supported. |
Although the MultiNetworkPolicy
API implements the NetworkPolicy
API, there are several important differences:
You must use the MultiNetworkPolicy
API:
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
You must use the multi-networkpolicy
resource name when using the cli to interact with multi-network policies. For example, you can view a multi-network policy object with the oc get multi-networkpolicy <name>
command where <name>
is the name of a multi-network policy.
You must specify an annotation with the name of the network attachment definition that defines the macvlan additional network:
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
annotations:
k8s.v1.cni.cncf.io/policy-for: <network_name>
where:
<network_name>
Specifies the name of a network attachment definition.
As a cluster administrator, you can enable multi-network policy support on your cluster.
Install the OpenShift cli (oc
).
Log in to the cluster with a user with cluster-admin
privileges.
Create the multinetwork-enable-patch.yaml
file with the following YAML:
apiVersion: operator.openshift.io/v1
kind: Network
metadata:
name: cluster
spec:
useMultiNetworkPolicy: true
Configure the cluster to enable multi-network policy:
$ oc patch network.operator.openshift.io cluster --type=merge --patch-file=multinetwork-enable-patch.yaml
network.operator.openshift.io/cluster patched
As a cluster administrator, you can create, edit, view, and delete multi-network policies.
To define granular rules describing ingress or egress network traffic allowed for namespaces in your cluster, you can create a multi-network policy.
Your cluster uses a cluster network provider that supports NetworkPolicy
objects, such as
the OpenShift SDN network provider with mode: NetworkPolicy
set.
This mode is the default for OpenShift SDN.
You installed the OpenShift cli (oc
).
You are logged in to the cluster with a user with cluster-admin
privileges.
You are working in the namespace that the multi-network policy applies to.
Create a policy rule:
Create a <policy_name>.yaml
file:
$ touch <policy_name>.yaml
where:
<policy_name>
Specifies the multi-network policy file name.
Define a multi-network policy in the file that you just created, such as in the following examples:
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
name: deny-by-default
annotations:
k8s.v1.cni.cncf.io/policy-for: <network_name>
spec:
podSelector:
ingress: []
where
<network_name>
Specifies the name of a network attachment definition.
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
metadata:
name: allow-same-namespace
annotations:
k8s.v1.cni.cncf.io/policy-for: <network_name>
spec:
podSelector:
ingress:
- from:
- podSelector: {}
where
<network_name>
Specifies the name of a network attachment definition.
To create the multi-network policy object, enter the following command:
$ oc apply -f <policy_name>.yaml -n <namespace>
where:
<policy_name>
Specifies the multi-network policy file name.
<namespace>
Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.
multinetworkpolicy.k8s.cni.cncf.io/default-deny created
If you log in to the web console with |
You can edit a multi-network policy in a namespace.
Your cluster uses a cluster network provider that supports NetworkPolicy
objects, such as
the OpenShift SDN network provider with mode: NetworkPolicy
set.
This mode is the default for OpenShift SDN.
You installed the OpenShift cli (oc
).
You are logged in to the cluster with a user with cluster-admin
privileges.
You are working in the namespace where the multi-network policy exists.
Optional: To list the multi-network policy objects in a namespace, enter the following command:
$ oc get multi-networkpolicy
where:
<namespace>
Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.
Edit the multi-network policy object.
If you saved the multi-network policy definition in a file, edit the file and make any necessary changes, and then enter the following command.
$ oc apply -n <namespace> -f <policy_file>.yaml
where:
<namespace>
Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.
<policy_file>
Specifies the name of the file containing the network policy.
If you need to update the multi-network policy object directly, enter the following command:
$ oc edit multi-networkpolicy <policy_name> -n <namespace>
where:
<policy_name>
Specifies the name of the network policy.
<namespace>
Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.
Confirm that the multi-network policy object is updated.
$ oc describe multi-networkpolicy <policy_name> -n <namespace>
where:
<policy_name>
Specifies the name of the multi-network policy.
<namespace>
Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.
If you log in to the web console with |
You can examine the multi-network policies in a namespace.
You installed the OpenShift cli (oc
).
You are logged in to the cluster with a user with cluster-admin
privileges.
You are working in the namespace where the multi-network policy exists.
List multi-network policies in a namespace:
To view multi-network policy objects defined in a namespace, enter the following command:
$ oc get multi-networkpolicy
Optional: To examine a specific multi-network policy, enter the following command:
$ oc describe multi-networkpolicy <policy_name> -n <namespace>
where:
<policy_name>
Specifies the name of the multi-network policy to inspect.
<namespace>
Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.
If you log in to the web console with |
You can delete a multi-network policy in a namespace.
Your cluster uses a cluster network provider that supports NetworkPolicy
objects, such as
the OpenShift SDN network provider with mode: NetworkPolicy
set.
This mode is the default for OpenShift SDN.
You installed the OpenShift cli (oc
).
You are logged in to the cluster with a user with cluster-admin
privileges.
You are working in the namespace where the multi-network policy exists.
To delete a multi-network policy object, enter the following command:
$ oc delete multi-networkpolicy <policy_name> -n <namespace>
where:
<policy_name>
Specifies the name of the multi-network policy.
<namespace>
Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.
multinetworkpolicy.k8s.cni.cncf.io/default-deny deleted
If you log in to the web console with |