< img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=3131724&fmt=gif" />

Enable Project Network Isolation

This section introduces how to enable project network isolation, as well as add and delete isolation whitelist entries.

Prerequisites

  • You should join a project and have the Namespace NetworkPolicy Management permission within the project. For more information, refer to "Project Members" and "Project Roles".

  • KubeSphere Network should have been installed and enabled.

Steps

Enable Network Isolation

  1. Log in to the KubeSphere web console with a user who has the Namespace NetworkPolicy Management permission, and access your project.

  2. Click Project Settings > Network Isolation in the left navigation pane.

  3. On the Network Isolation page, click Enable.

    Note

    After enabling network isolation, pods in other projects, other node host environments, and all network segments outside the cluster will not be able to access pods in the current project. There is no restriction on egress traffic by default, meaning that if no whitelist entries are set, pods in the current project can communicate with pods in other projects, other node host environments, and all network segments outside the cluster. After adding whitelist entries, pods in the current project are only allowed to communicate with pods in specific projects, specific node host environments, and specific network segments outside the cluster.

Add Whitelist

  1. After enabling network isolation, click the Internal Whitelist or External Whitelist tab.

    ParameterDescription

    Internal Whitelist

    Allow pods in the current project to communicate with pods in other projects within the same workspace.

    External Whitelist

    Allow pods in the current project to communicate with specific network segments and ports outside the workspace.

  2. On the Internal Whitelist or External Whitelist tab, click Add Whitelist Entry.

  3. In the Add Whitelist Entry dialog box, set the parameters for the whitelist entry, and then click OK.

    • For internal whitelist entries, set the following parameters:

      ParameterDescription

      Traffic Direction

      The direction of traffic allowed by the whitelist entry.

      • Egress: From the current project to other projects.

      • Ingress: From other projects to the current project.

      Type

      The method by which the whitelist entry matches pods in other projects.

      • Project: Pods in the current project can communicate with all pods in the specified project.

      • Service: Pods in the current project can communicate with the backend pods of the specified service.

    • For external whitelist entries, set the following parameters:

      ParameterDescription

      Name

      The name of the whitelist entry.

      Traffic Direction

      The direction of traffic allowed by the whitelist entry.

      • Egress: From the current project to outside the workspace.

      • Ingress: From outside the workspace to the current project.

      Network Segment

      The network address and subnet mask outside the workspace. Supports Classless Inter-Domain Routing (CIDR).

      • Click copy-light on the right side of an added network segment to create a network segment copy.

      • Click trash-light on the right side of an added network segment to delete the network segment.

      • Click Add to set multiple network segments.

      Port

      The port number allowed by the whitelist entry.

      • For egress whitelist entries, the port here is the port of the address outside the workspace.

      • For ingress whitelist entries, the port here is the port of the pods in the current project.

      • Click copy-light on the right side of an added port to create a port copy.

      • Click trash-light on the right side of an added port to delete the port.

      • Click Add Port Range to set multiple port ranges, and click Add Port to set multiple ports.

    After the whitelist entry is created, it will be displayed in the internal whitelist or external whitelist list.

  4. In the External Whitelist list, click the entry name to view the entry details, and click more > Edit on the right side of the entry to edit the whitelist entry details.

Delete Whitelist

Warning

Deleting a whitelist entry may cause network connection interruptions for pods in the current project, so please proceed with caution.

  1. On the Network Isolation page, click the Internal Whitelist or External Whitelist tab.

  2. Click trash-light on the right side of the internal whitelist entry you want to delete; click more on the right side of the external whitelist entry you want to delete, and then select Delete from the dropdown list.

  3. In the Delete Whitelist Entry dialog box, enter the name of the whitelist entry, and then click OK.

Receive the latest news, articles and updates from KubeSphere


Thanks for the feedback. If you have a specific question about how to use KubeSphere, ask it on Slack. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.