Enable Project Network Isolation
This section introduces how to enable project network isolation, as well as add and delete isolation whitelist entries.
Prerequisites
You should join a project and have the Namespace NetworkPolicy Management permission within the project. For more information, refer to "Project Members" and "Project Roles".
KubeSphere Network should have been installed and enabled.
Steps
Enable Network Isolation
Log in to the KubeSphere web console with a user who has the Namespace NetworkPolicy Management permission, and access your project.
Click Project Settings > Network Isolation in the left navigation pane.
On the Network Isolation page, click Enable.
Note After enabling network isolation, pods in other projects, other node host environments, and all network segments outside the cluster will not be able to access pods in the current project. There is no restriction on egress traffic by default, meaning that if no whitelist entries are set, pods in the current project can communicate with pods in other projects, other node host environments, and all network segments outside the cluster. After adding whitelist entries, pods in the current project are only allowed to communicate with pods in specific projects, specific node host environments, and specific network segments outside the cluster.
Add Whitelist
After enabling network isolation, click the Internal Whitelist or External Whitelist tab.
Parameter Description Internal Whitelist
Allow pods in the current project to communicate with pods in other projects within the same workspace.
External Whitelist
Allow pods in the current project to communicate with specific network segments and ports outside the workspace.
On the Internal Whitelist or External Whitelist tab, click Add Whitelist Entry.
In the Add Whitelist Entry dialog box, set the parameters for the whitelist entry, and then click OK.
For internal whitelist entries, set the following parameters:
Parameter Description Traffic Direction
The direction of traffic allowed by the whitelist entry.
Egress: From the current project to other projects.
Ingress: From other projects to the current project.
Type
The method by which the whitelist entry matches pods in other projects.
Project: Pods in the current project can communicate with all pods in the specified project.
Service: Pods in the current project can communicate with the backend pods of the specified service.
For external whitelist entries, set the following parameters:
Parameter Description Name
The name of the whitelist entry.
Traffic Direction
The direction of traffic allowed by the whitelist entry.
Egress: From the current project to outside the workspace.
Ingress: From outside the workspace to the current project.
Network Segment
The network address and subnet mask outside the workspace. Supports Classless Inter-Domain Routing (CIDR).
Click on the right side of an added network segment to create a network segment copy.
Click on the right side of an added network segment to delete the network segment.
Click Add to set multiple network segments.
Port
The port number allowed by the whitelist entry.
For egress whitelist entries, the port here is the port of the address outside the workspace.
For ingress whitelist entries, the port here is the port of the pods in the current project.
Click on the right side of an added port to create a port copy.
Click on the right side of an added port to delete the port.
Click Add Port Range to set multiple port ranges, and click Add Port to set multiple ports.
After the whitelist entry is created, it will be displayed in the internal whitelist or external whitelist list.
In the External Whitelist list, click the entry name to view the entry details, and click > Edit on the right side of the entry to edit the whitelist entry details.
Delete Whitelist
Warning |
---|
Deleting a whitelist entry may cause network connection interruptions for pods in the current project, so please proceed with caution. |
On the Network Isolation page, click the Internal Whitelist or External Whitelist tab.
Click on the right side of the internal whitelist entry you want to delete; click on the right side of the external whitelist entry you want to delete, and then select Delete from the dropdown list.
In the Delete Whitelist Entry dialog box, enter the name of the whitelist entry, and then click OK.
Feedback
Was this page Helpful?
Receive the latest news, articles and updates from KubeSphere
Thanks for the feedback. If you have a specific question about how to use KubeSphere, ask it on Slack. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.