Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document / Implement web-terminal running in projects that have NetworkPolicies #90

Open
duritong opened this issue Jul 16, 2021 · 1 comment
Open

Document / Implement web-terminal running in projects that have NetworkPolicies #90

duritong opened this issue Jul 16, 2021 · 1 comment

Comments

@duritong
Copy link

duritong commented Jul 16, 2021
edited
Loading

If you deploy the default recommended set of NetworkPolicies (https://docs.openshift.com/container-platform/4.7/networking/network_policy/default-network-policy.html) you won't be able to get the web-terminal working in projects where such network policies apply.

Either you start the web terminal in a project where you do not have network policies (unlikely) or you must ensure, that you have a project that has the right network policies that allow access.

You can do this the following way:

oc label namespace openshift-console network.openshift.io/policy-group=console
cat >01_web_terminal.yaml<<EOF
apiVersion: v1
kind: Namespace
metadata:
  name: "my-web-terminal"
  labels:
    network.openshift.io/policy-group: web-terminal
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: web-terminal-operator 
  namespace: my-web-terminal
spec:
  channel: alpha
  installPlanApproval: Automatic
  name: web-terminal
  source: redhat-operators
  sourceNamespace: openshift-marketplace
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: web-terminal-operator
  namespace: my-web-terminal
spec:
  targetNamespaces: []
EOF
oc apply -f 01_web_terminal.yaml

cat >02_net_pols.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-web-terminal
spec:
  ingress:
    -from:
      -namespaceSelector:
         matchLabels:
           network.openshift.io/policy-group:web-terminal
  podSelector:{}
  policyTypes:
    -Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-console
spec:
  ingress:
    -from:
      -namespaceSelector:
         matchLabels:
           network.openshift.io/policy-group:console
  podSelector:{}
  policyTypes:
    -Ingress
EOF

in the project you like to get your web-terminal running, you'll need to add the additional network policies:

oc apply -f 02_net_pols.yaml

It would be nice if this is documented (e.g. official OCP docs) and if web-terminal also make it out of tech preview the following needs to happen:

  • webconsole project needs to get a net-pol label
  • operator must install into its own namespace with a label
  • document the additional net pols that are required
@sleshchenko
Copy link
Contributor

sleshchenko commented Jul 19, 2021
edited
Loading

@duritong Thanks for raising this issue. We also have one on jira https://issues.redhat.com/browse/WTO-102 (see the issue description how to enable connections from openshift-operators namespace)

Also, pay attention that OpenShift Console 4.8 will work only if WTO is installed in openshift-operators namespace. We have an issue to improve it https://issues.redhat.com/browse/WTO-99

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@duritong @sleshchenko