Configuring multi-network policy

    Although the API implements the NetworkPolicy API, there are several important differences:

    • You must use the MultiNetworkPolicy API:

    • You must use the multi-networkpolicy resource name when using the CLI to interact with multi-network policies. For example, you can view a multi-network policy object with the oc get multi-networkpolicy <name> command where <name> is the name of a multi-network policy.

    • You must specify an annotation with the name of the network attachment definition that defines the macvlan additional network:

      1. apiVersion: k8s.cni.cncf.io/v1beta1
      2. kind: MultiNetworkPolicy
      3. metadata:
      4.   annotations:
      5.     k8s.v1.cni.cncf.io/policy-for: <network_name>

      where:

      <network_name>

      Specifies the name of a network attachment definition.

    As a cluster administrator, you can enable multi-network policy support on your cluster.

    Prerequisites

    • Install the OpenShift CLI (oc).

    • Log in to the cluster with a user with cluster-admin privileges.

    Procedure

    1. Create the multinetwork-enable-patch.yaml file with the following YAML:

      1. apiVersion: operator.openshift.io/v1
      2. kind: Network
      3. metadata:
      4.   name: cluster
      5. spec:
      6.   useMultiNetworkPolicy: true

    As a cluster administrator, you can create, edit, view, and delete multi-network policies.

    • You have enabled multi-network policy support for your cluster.

    To define granular rules describing ingress or egress network traffic allowed for namespaces in your cluster, you can create a multi-network policy.

    Prerequisites

    • Your cluster uses a cluster network provider that supports NetworkPolicy objects, such as the OVN-Kubernetes network provider or the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

    • You installed the OpenShift CLI ().

    • You are logged in to the cluster with a user with cluster-admin privileges.

    • You are working in the namespace that the multi-network policy applies to.

    Procedure

    1. Create a policy rule:

      1. Create a <policy_name>.yaml file:

        1. $ touch <policy_name>.yaml

        where:

        <policy_name>

        Specifies the multi-network policy file name.

      2. Define a multi-network policy in the file that you just created, such as in the following examples:

        Deny ingress from all pods in all namespaces

        where

        <network_name>

        Specifies the name of a network attachment definition.

        1. apiVersion: k8s.cni.cncf.io/v1beta1
        2. kind: MultiNetworkPolicy
        3. metadata:
        4.   name: allow-same-namespace
        5.   annotations:
        6.     k8s.v1.cni.cncf.io/policy-for: <network_name>
        7. spec:
        8.   podSelector:
        9.   ingress:
        10.   - from:
        11.     - podSelector: {}

        where

        <network_name>

        Specifies the name of a network attachment definition.

    2. To create the multi-network policy object, enter the following command:

      1. $ oc apply -f <policy_name>.yaml -n <namespace>

      where:

      <policy_name>

      Specifies the multi-network policy file name.

      <namespace>

      Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

      Example output

      1. multinetworkpolicy.k8s.cni.cncf.io/default-deny created

    You can edit a multi-network policy in a namespace.

    Prerequisites

    • Your cluster uses a cluster network provider that supports NetworkPolicy objects, such as the OVN-Kubernetes network provider or the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

    • You are logged in to the cluster with a user with privileges.

    • You are working in the namespace where the multi-network policy exists.

    Procedure

    1. Optional: To list the multi-network policy objects in a namespace, enter the following command:

      1. $ oc get multi-networkpolicy

      where:

      <namespace>

      Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

    2. Edit the multi-network policy object.

      • If you saved the multi-network policy definition in a file, edit the file and make any necessary changes, and then enter the following command.

        1. $ oc apply -n <namespace> -f <policy_file>.yaml

        where:

        <namespace>

        Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

        <policy_file>

        Specifies the name of the file containing the network policy.

      • If you need to update the multi-network policy object directly, enter the following command:

        where:

        <policy_name>

        Specifies the name of the network policy.

        <namespace>

        Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

      1. $ oc describe multi-networkpolicy <policy_name> -n <namespace>

      where:

      <policy_name>

      Specifies the name of the multi-network policy.

      <namespace>

      Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

    You can examine the multi-network policies in a namespace.

    Prerequisites

    • You installed the OpenShift CLI (oc).

    • You are logged in to the cluster with a user with cluster-admin privileges.

    • You are working in the namespace where the multi-network policy exists.

    Procedure

    • List multi-network policies in a namespace:

      • To view multi-network policy objects defined in a namespace, enter the following command:

        1. $ oc get multi-networkpolicy

      • Optional: To examine a specific multi-network policy, enter the following command:

        1. $ oc describe multi-networkpolicy <policy_name> -n <namespace>

        where:

        <policy_name>

        Specifies the name of the multi-network policy to inspect.

        <namespace>

        Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

    You can delete a multi-network policy in a namespace.

    Prerequisites

    • Your cluster uses a cluster network provider that supports NetworkPolicy objects, such as the OVN-Kubernetes network provider or the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

    • You installed the OpenShift CLI (oc).

    • You are logged in to the cluster with a user with cluster-admin privileges.

    • You are working in the namespace where the multi-network policy exists.

    Procedure

    • To delete a multi-network policy object, enter the following command:

      1. $ oc delete multi-networkpolicy <policy_name> -n <namespace>

      where:

      <policy_name>

      Specifies the name of the multi-network policy.

      <namespace>

      Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

      Example output

      1. multinetworkpolicy.k8s.cni.cncf.io/default-deny deleted