NetworkPolicy can replicate what namespace isolation does (and much
more), so we are removing the code that is not needed
Change-Id: Ib79c21cb92c522744658a204001383b6c0e98846
To enforce the network policy isolation, the network policy
security group driver must be used. Thus the code needs to be
there instead of in the namespace security group driver (which
is used for namespace isolation)
Currently, when using the correct Network Policy drivers and
handlers the CRD is not updated on events applied over namespaces
that matches a NP.
This commit fixes the issue by moving the support of this
functionality from 'NamespacePodSecurityGroupsDriver' to
NetworkPolicySecurityGroupsDriver.
Closes-bug: 1811995
Partially Implements: blueprint k8s-network-policies
Change-Id: Idaf70ea8cb7677296d6bea59b4d551bbb87e0422
When a namespace is created, deleted or updated and
its labels matches the namespaceSelector of a NP,
the CRD and the respective sg must be updated.
Partially Implements: blueprint k8s-network-policies
Change-Id: I515de28647f5f06248555733c27dd4f5a56149ec
This patch ensures pods from namespace X cannot access services
pointing to pods on namespace Y, and vice versa.
The exceptions are:
- Pods on default namespace can access all the services
- Services on default namespace can be accessed by all the pods
Depends-On: I37025bf65b67fe04f2a6d9b14bbe1b7bc387e370
Implements: blueprint openshift-project-isolation-support
Change-Id: I7b78e12cdf2bce5d0780e582814ef51ef0c459a7
Ensure default security group value does not get overwritten in
subsequent calls to get_security_groups
Closes-Bug: 1785035
Change-Id: I9a79601beae7d58027418e0a9e3c4768606eb15f
This patch ensures that a different security group is attached to
each newly created namespace. Thus providing extra isolation
between the pods allocated on the different namespaces.
Implements: blueprint openshift-project-isolation-support
Change-Id: Ibf63841b2a6b0c339c4c76980f1489e26af016d7