Parameters

The parent key for all of the following parameters is networkpolicy.

labels

type

dictionary
default 
noDefaults: network-policies.syn.tools/no-defaults
baseDefaults: network-policies.syn.tools/base-defaults
purgeDefaults: network-policies.syn.tools/purge-defaults
purgeNonBase: network-policies.syn.tools/purge-non-base

Name of the labels to be used in other components.

By default every namespace will get policies required for the OpenShift platform and a policy to allow intra-namespace communication. By default, two sets of policies are created in every namespace: - base policies, which are required for the OpenShift platform to function correctly. - default policies, which allow pods in the same namespace to communicate with each other. The default policies can be modified with the labels defined in this parameter.

noDefaults label

Policies will no longer be managed. The already created policies will stay in place and can be modified by the user or other components.

baseDefaults label

Only policies required for the OpenShift platform will be created. The intra-namespace policy will no longer be managed by this component and can be modified by the user or other components.

There’s no guarantee that pods will be able to communicate with each other even if they are in the same namespace once the intra-namespace policies is modified or removed by the user.

purgeDefaults label

All managed policies will be purged from the namespace.

purgeNonBase label

All managed policies except the platform required policies will be purged from the namespace.

The purge* labels should always be acompanied by their respective noDefaults or baseDefaults label.

allowNamespaceLabels

type

list of tuples
default

empty list

A list of labels matching namespaces to allow traffic from. Each list item can contain several key value pairs. They result in an AND condition. Individual list items will result in an OR condition.

allowNamespaceLabels:
  - my-label-a: true
    my-label-b: true
  - my-label-c: true

In the above example, traffic will be allowed if a namespaces has the label my-label-a=true AND my-label-b=true. Traffic will also be allowed if a namespace is labeled my-label-c.

ignoredNamespaces

type

list of strings
default

empty list

A list of namespace names where no default NetworkPolicies will be created. Default NetworkPolicies will be purged for all namespaces in this list. Entries in the list can be removed by adding the entry prefixed with a ~.

networkPlugin

type

string
default

''

The network plugin installed on the cluster.

This needs to be set when using the Cilium network plugin. Otherwise some policies might not be applied correctly.

ciliumClusterID

type

string
default

''

This parameter controls whether the component isolates namespaces with the same name from each other in a Cilium cluster mesh. The default behavior if the parameter is empty is to allow connectivity between namespaces with the same name across clusters.

If this behavior isn’t desired, this parameter can be set to the cluster’s Cilium cluster ID (which is configured in parameter cilium.cilium_helm_values.cluster.name when using cluster mesh). When the parameter isn’t empty, the component will adjust the allow-from-same-namespace policy with the following snippet:

spec:
 ingress:
 - from:
   - podSelector:
       matchLabels:
         io.cilium.k8s.policy.cluster: <ciliumClusterID> (1)
1 <ciliumClusterID> is replaced with the string provided in this parameter

allowFromNodeLabels

type

dict
default

{}

This parameter allows users to customize the allow-from-cluster-nodes CiliumNetworkPolicy.

When this parameter is empty, this policy allow access from workloads running on all cluster nodes (including nodes of other clusters in the same cluster mesh) to workloads. This ensures that — for example — an ingress controller which is running in host-network mode can access workloads that are exposed through an Ingress.

When the parameter isn’t empty, the component uses the contents as the value for matchLabels in a fromNodes entry in the CiliumNetworkPolicy. This restricts access to workloads to the host network on nodes matching the provided label selector(s). See the Cilium documentation for details on the fromNodes policy mechanism.

When setting a value for this parameter, you must ensure that you’re using Cilium 1.16 or newer and that the Helm value nodeSelectorLabels=true is set for your Cilium installation.

The allow-from-cluster-nodes policy always allows access to workloads in the namespace from the host on which they’re running. This ensures that the Kubernetes health checks work as expected regardless of the provided label selector.

For isolating access to workloads between clusters in a Cilium cluster mesh, you can label all nodes of each cluster with the cluster’s Project Syn ID, for example with kubectl label nodes --all syn.tools/cluster-id=c-the-cluster-1234.

Then you can set this parameter as

allowFromNodeLabels:
  syn.tools/cluster-id: ${cluster:name}

Example

# Allow traffic from ingress and monitoring
allowNamespaceLabels:
  - network.openshift.io/policy-group: monitoring
  - network.openshift.io/policy-group: ingress
# Do not create the default policies in the OpenShift namespaces.
ignoredNamespaces:
  - openshift
  - openshift-apiserver
  - openshift-apiserver-operator
  - …