aroworkshop/_entries/02-06 networkpolicy.md

---
sectionid: networkpolicy
sectionclass: h2
title: Create Network Policy
parent-id: lab-ratingapp
---

Now that you have the application working, it is time to apply some security hardening. You'll use [network policies](https://docs.openshift.com/aro/4/networking/network_policy/about-network-policy.html) to restrict communication to the `rating-api`.

### Switch to the Cluster Console

{% collapsible %}

Switch to the Administrator console.
![Switch to the Administrator console](media/switch-to-admin-console.png)

Make sure you're in the **workshop** project, expand **Networking** and click **Create Network Policy**.
![Cluster console page](media/cluster-console.png)

{% endcollapsible %}

### Create network policy

{% collapsible %}

You will create a policy that applies to any pod matching the `app=rating-api` label. The policy will allow ingress only from pods matching the `app=rating-web` label.

Use the YAML below in the editor, and make sure you're targeting the **workshop** project.

```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-allow-from-web
  namespace: workshop
spec:
  podSelector:
    matchLabels:
      app: rating-api
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: rating-web
```

![Create network policy](media/create-networkpolicy.png)

Click **Create**.

{% endcollapsible %}

> **Resources**
> * [ARO Documentation - Managing Networking with Network Policy](https://docs.openshift.com/aro/4/networking/network_policy/creating-network-policy.html)
Added web stuff 2019-06-18 10:19:06 +03:00			`---`
			`sectionid: networkpolicy`
			`sectionclass: h2`
Updates from workshop feedback 2019-09-09 13:02:09 +03:00			`title: Create Network Policy`
Split into 2 labs 2019-06-19 00:56:11 +03:00			`parent-id: lab-ratingapp`
Added web stuff 2019-06-18 10:19:06 +03:00			`---`

ARO4 updates to network policy 2020-10-06 00:59:16 +03:00			Now that you have the application working, it is time to apply some security hardening. You'll use [network policies](https://docs.openshift.com/aro/4/networking/network_policy/about-network-policy.html) to restrict communication to the `rating-api`.
Added network policy stuff 2019-06-18 10:45:01 +03:00
			`### Switch to the Cluster Console`

			`{% collapsible %}`

ARO4 updates to network policy 2020-10-06 00:59:16 +03:00			`Switch to the Administrator console.`
			`![Switch to the Administrator console](media/switch-to-admin-console.png)`

			`Make sure you're in the workshop project, expand Networking and click Create Network Policy.`
Added network policy stuff 2019-06-18 10:45:01 +03:00			`![Cluster console page](media/cluster-console.png)`

			`{% endcollapsible %}`

			`### Create network policy`

			`{% collapsible %}`

			You will create a policy that applies to any pod matching the `app=rating-api` label. The policy will allow ingress only from pods matching the `app=rating-web` label.

			`Use the YAML below in the editor, and make sure you're targeting the workshop project.`

			```yaml
			`apiVersion: networking.k8s.io/v1`
			`kind: NetworkPolicy`
			`metadata:`
			`name: api-allow-from-web`
			`namespace: workshop`
			`spec:`
			`podSelector:`
			`matchLabels:`
			`app: rating-api`
			`ingress:`
			`- from:`
			`- podSelector:`
			`matchLabels:`
			`app: rating-web`
			```

			`![Create network policy](media/create-networkpolicy.png)`

			`Click Create.`

			`{% endcollapsible %}`

			`> Resources`
ARO4 updates to network policy 2020-10-06 00:59:16 +03:00			`> * [ARO Documentation - Managing Networking with Network Policy](https://docs.openshift.com/aro/4/networking/network_policy/creating-network-policy.html)`