55 строки
1.5 KiB
Markdown
Executable File
55 строки
1.5 KiB
Markdown
Executable File
---
|
|
sectionid: networkpolicy
|
|
sectionclass: h2
|
|
title: Create Network Policy
|
|
parent-id: lab-ratingapp
|
|
---
|
|
|
|
Now that you have the application working, it is time to apply some security hardening. You'll use [network policies](https://docs.openshift.com/aro/4/networking/network_policy/about-network-policy.html) to restrict communication to the `rating-api`.
|
|
|
|
### Switch to the Cluster Console
|
|
|
|
{% collapsible %}
|
|
|
|
Switch to the Administrator console.
|
|
|
|
|
|
Make sure you're in the **workshop** project, expand **Networking** and click **Create Network Policy**.
|
|
|
|
|
|
{% endcollapsible %}
|
|
|
|
### Create network policy
|
|
|
|
{% collapsible %}
|
|
|
|
You will create a policy that applies to any pod matching the `app=rating-api` label. The policy will allow ingress only from pods matching the `app=rating-web` label.
|
|
|
|
Use the YAML below in the editor, and make sure you're targeting the **workshop** project.
|
|
|
|
```yaml
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: api-allow-from-web
|
|
namespace: workshop
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: rating-api
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
app: rating-web
|
|
```
|
|
|
|
|
|
|
|
Click **Create**.
|
|
|
|
{% endcollapsible %}
|
|
|
|
> **Resources**
|
|
> * [ARO Documentation - Managing Networking with Network Policy](https://docs.openshift.com/aro/4/networking/network_policy/creating-network-policy.html)
|