Network policies for projects


#1

There appears to be a default network policy applied to projects in the API, but I do not see any documentation nor UI for them; in my use case, I prefer to limit pod/container communication to a project, but allow communication outside for proxies or load balancers, etc. I haven’t seen anything specific to this in the roadmap, so how are network policies handled in 2.x? Thanks!


#2

That is the default (and only supported) policy, give or take special cases like namespaces with system services in them so DNS and such work.


#3

Thanks @vincent for the reply, I know you guys are all very busy and I appreciate all the hard work on 2.0. So while that’s the default and only officially supported policy, is that to say there is no published (or planned) documentation on setting your own? In the case of, say, one project needing to talk to another, what is the recommended approach? Are they discoverable via DNS and then you could publish a port to, say, a Cluster IP? Apologies if I’m getting the K8s nomenclature wrong.


#4

Paging @leodotcloud


#5

@bradjones1
Projects are isolated, i.e, namespaces within the same project can communicate with each other but not across projects. BUT this is the behavior if the network plugin chosen for the cluster is “Canal”. So if you pick Flannel/Calico you will not have any policies even for project isolation. You can add your own network policies directly using kubectl if you would like. We are still working on providing the customization in the upcoming releases.


#6

@leodotcloud - Thanks. I’ve had a chance to try this out on GKE with Rancher 2.0.1 and ran into this issue: https://github.com/rancher/rancher/issues/13670


#7

Following up on this point, see https://github.com/rancher/rancher/issues/14085