Network policy #9077
Open
Network policy #9077
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Only pod (not service) ports are applicable. Signed-off-by: Jakub Klinkovský <1289205+lahwaacz@users.noreply.github.com>
Signed-off-by: Jakub Klinkovský <1289205+lahwaacz@users.noreply.github.com>
Based on the documentation in https://longhorn.io/docs/1.6.2/references/networking/ Signed-off-by: Jakub Klinkovský <1289205+lahwaacz@users.noreply.github.com>
The `examples/network-policy/` directory is outdated, the chart contains up-to-date network policies. Signed-off-by: Jakub Klinkovský <1289205+lahwaacz@users.noreply.github.com>
…c port Signed-off-by: Jakub Klinkovský <1289205+lahwaacz@users.noreply.github.com>
|
The removed Edit: done in longhorn/website#955 |
lahwaacz
added a commit
to lahwaacz/longhorn-website
that referenced
this pull request
Jul 28, 2024
|
I have some questions about the network policies:
|
…c ports Signed-off-by: Jakub Klinkovský <1289205+lahwaacz@users.noreply.github.com>
…ge-manager according to the documentation The original policies mixed some ingress and egress rules and did not specify port numbers. Signed-off-by: Jakub Klinkovský <1289205+lahwaacz@users.noreply.github.com>
lahwaacz
added a commit
to lahwaacz/longhorn-website
that referenced
this pull request
Aug 4, 2024
lahwaacz
added a commit
to lahwaacz/longhorn-website
that referenced
this pull request
Aug 4, 2024
innobead
pushed a commit
to lahwaacz/longhorn-website
that referenced
this pull request
Aug 5, 2024
See longhorn/longhorn#9077 for context. Signed-off-by: davidko <dko@suse.com>
innobead
pushed a commit
to longhorn/website
that referenced
this pull request
Aug 5, 2024
See longhorn/longhorn#9077 for context. Signed-off-by: davidko <dko@suse.com>
|
Assigned to @ChanYiLin to help with this review. cc @derekbit |
M4t7e
reviewed
Nov 4, 2024
There was a problem hiding this comment.
These changes might be not sufficient especially when no ingress controller is used. See: #9067 (comment)
There was a problem hiding this comment.
You are right, this case is not addressed in this pull request. I was focusing on "simple" improvements that don't depend on any configuration, but the review is taking too long regardless... 😞
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Which issue(s) this PR fixes:
Issue #9067
What this PR does / why we need it:
Current network policies are too open, they should be allow only traffic that is specifically needed for Longhorn functionality and deny the rest.
The policies should also be in line with the documentation: https://longhorn.io/docs/1.6.2/references/networking/
Future work
I will go offline in the following days and have a busy next week, but I will definitely revisit this later! Maintainers are invited to push to my branch or split the rest to a separate issue if doing it by parts is preferred.