Configuring network policies

By default, all Pods in a Kubernetes cluster can communicate with each other even if they are in different namespaces. In the context of Che, this makes it possible for a workspace Pod in one user namespace to send traffic to another workspace Pod in a different user namespace.

For security, multitenant isolation could be configured by using NetworkPolicy objects to restrict all incoming communication to Pods in a user namespace. However, Pods in the Che namespace must be able to communicate with Pods in user namespaces.

  • The Kubernetes cluster has network restrictions such as multitenant isolation.

  • Apply the allow-from-eclipse-che NetworkPolicy to each user namespace. The allow-from-eclipse-che NetworkPolicy allows incoming traffic from the Che namespace to all Pods in the user namespace.

    Example 1. allow-from-eclipse-che.yaml
    kind: NetworkPolicy
        name: allow-from-eclipse-che
        - from:
            - namespaceSelector:
           eclipse-che   (1)
        podSelector: {}   (2)
        - Ingress
    1 The Che namespace. The default is eclipse-che.
    2 The empty podSelector selects all Pods in the namespace.