Hi, its kind a hard to explain my problem but, i am trying to get to work network policy in OKD 3.11, but seems it doesn’t work as i it should. Is it working different way as in kubernetes? I am using ovs-networkpolicy plugin.
The problem is related to pod labels which seems doesnt work as they are documented in kubernetes doc. (https://kubernetes.io/docs/concepts/services-networking/network-policies/) * podSelector: matchLabels: app: <name> For example i have two projects A and B. In project A i have pod with label app: web and in project B i have pod with label app: db. I have labeled project B with label project: B, and project A with label project A, also labeled pods. It still doesn’t work. Now i create network policy which should be able to allow this access. kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: allow-from-B-to-A spec: podSelector: matchLabels: app: web ingress: - from: - podSelector: matchLabels: app: DB - namespaceSelector: matchLabels: project: B I read in documentaiton: Only the v1 NetworkPolicy features are available in OKD. This means that egress policy types, IPBlock, and combining podSelector and namespaceSelector are not available in OKD. It is working if i use only namespaceSelector so it allow access from specific namespace TO specific pod inside project, NOT from specific pod from another project to pod inside different project as i mentioned before. I tried to allow access only using podSelector without namespaceSelector, but still without success. Is there are any workaround or solution to allow/restrict access between different projects/namespaces specific pods labels? -- Best, Alexander Kozhemyakin System Engineer, SRE Tel: + 372 58167904 alexander.kozhemya...@bigbank.ee<mailto:alexander.kozhemya...@bigbank.ee> Bigbank I www.bigbank.ee<http://www.bigbank.ee/> Riia 2, 51004, Tartu, Estonia KONFIDENTSIAALSUSTEADE: Käesolev e-kiri võib sisaldada konfidentsiaalset informatsiooni. Selle informatsiooni kasutamine on keelatud kõigile peale e-kirja adressaadi. Informatsiooni avaldamine võib olla seadusega keelatud. Kui Te saite käesoleva e-kirja ekslikult, palun kontakteeruge saatjaga ning kustutage saadud materjal alaliselt. CONFIDENTIALITY DISCLAIMER: This e-mail may contain confidential information. It is prohibited to use this information by anyone else than the addressee. Disclosure of such information may be prohibited by law. If you received this in error, please contact the sender and delete the material permanently.
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
