Commit 29806b12 authored by estevesm's avatar estevesm
Browse files

Added the default namespace

parent 830d3bcd
Pipeline #2311940 passed with stage
in 3 minutes and 14 seconds
......@@ -18,6 +18,15 @@ which then is used when building a new version of the cluster image. In order to
- make sure you use the correct base image (the major and minor version of the base image should match the corresponding versions of the [cluster-ingress-operator](https://github.com/origin/cluster-ingress-operator));
- commit your changes and push to Gitlab and let the CI build the docker image. In order to make sure the new image is being used by the new cluster image, update the value specified [here](https://gitlab.cern.ch/paas-tools/okd4-deployment/custom-okd-release/-/blob/master/.gitlab-ci.yml#L12) with the new tag.
## Default namespace patch to support Network Policies
In OKD4 we have to create NetworkPolicy resources since pods are able to comunicate between namespaces by default.
To be able to still allow ingress pods communication since we use endpointPublishingStrategy: HostNetwork we have to have the label
network.openshift.io/policy-group: ingress on the default namespace in order to make this NetworkPolicy work
more details in https://gitlab.cern.ch/webservices/webframeworks-planning/-/issues/257
Note: Once we have SOPS and ArgoCD managing itself we can move this single file to the okd4-install custom-ingress component
### Previous work
This essentially does the same as our [custom-haproxy-router](https://gitlab.cern.ch/paas-tools/custom-haproxy-router) did in Openshift 3, but for Openshift 4.
# In OKD4 we have to create NetworkPolicy resources since pods are able to comunicate between namespaces by default
# One of these NetworkPolicies we enforce is that ingress pods should still be able to comunicate with pods
# however on OKD4.6 since we use endpointPublishingStrategy: HostNetwork we have to have the label
# network.openshift.io/policy-group: ingress on the default namespace in order to make this NetworkPolicy work
# more details in https://gitlab.cern.ch/webservices/webframeworks-planning/-/issues/257
apiVersion: v1
kind: Namespace
metadata:
name: default
labels:
# Label needed for https://gitlab.cern.ch/webservices/webframeworks-planning/-/issues/257
network.openshift.io/policy-group: ingress
annotations:
argocd.argoproj.io/sync-options: Prune=false
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment