📖 Add NetworkPolicy doc #1973
📖 Add NetworkPolicy doc #1973
Conversation
✅ Deploy Preview for olmv1 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1973 +/- ##
==========================================
- Coverage 69.10% 68.99% -0.12%
==========================================
Files 79 79
Lines 7011 7011
==========================================
- Hits 4845 4837 -8
- Misses 1885 1891 +6
- Partials 281 283 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
|
||
| If you encounter network connectivity issues after deploying OLMv1, consider the following: | ||
|
|
||
| * Verify NetworkPolicy support: Ensure your cluster has a CNI plugin that supports NetworkPolicy |
There was a problem hiding this comment.
Nit: If the CNI does not support NP, does this not mean that the NPs applied have no effect at all? So, I mean, if my k8s is using a CNI that does not provide this support is like it does not make any difference and no network connectivity issues could be faced. Am I right?
| If you encounter network connectivity issues after deploying OLMv1, consider the following: | ||
|
|
||
| * Verify NetworkPolicy support: Ensure your cluster has a CNI plugin that supports NetworkPolicy | ||
| * Check pod labels: Confirm that catalogd and operator-controller pods have the correct labels for NetworkPolicy selection |
There was a problem hiding this comment.
Could we be more specific here?
For example, could we give the kubectl commands to help the user ensure that the labels used to do the match are present?
| * Verify NetworkPolicy support: Ensure your cluster has a CNI plugin that supports NetworkPolicy | ||
| * Check pod labels: Confirm that catalogd and operator-controller pods have the correct labels for NetworkPolicy selection | ||
| * Inspect logs: Check component logs for connection errors | ||
| * Test connectivity: Run test pods that attempt to communicate with OLMv1 components |
There was a problem hiding this comment.
Could we add an example here with the commands to help the user and us to know how to do those checks?
| ## Future Enhancements | ||
|
|
||
| The operator-framework team plan to revisit improvements to network policies in the future, such as: | ||
|
|
||
| * More restrictive egress rules based on configured catalog image references | ||
| * Further securing metrics and webhook server access | ||
| * Dynamic network policy updates based on configured bundle image references |
There was a problem hiding this comment.
I think we do not need to add the FE part, when we enhance/if we enhance, then we update this doc with the changes applied
| * Catalogd's HTTPS server (on port 8443) | ||
| * Image registries specified in bundle metadata | ||
|
|
||
| Currently, all egress traffic from operator-controller is allowed to support communication with arbitrary image registries that aren't known at install time. |
There was a problem hiding this comment.
What do you think about linking the code from the repo?
So, those looking can easily check the NPs by clicking on them.
| * The Kubernetes API server | ||
| * Image registries specified in ClusterCatalog objects | ||
|
|
||
| Currently, all egress traffic from catalogd is allowed, to support communication with arbitrary image registries that aren't known at install time. |
There was a problem hiding this comment.
What do you think about linking the code from the repo?
So, those looking can easily check the NPs by clicking on them.
Description
Reviewer Checklist