Remove Default NetworkPolicies

Also see Using and customizing policies if you have a VSHN Managed OpenShift cluster.

In every namespace 2 NetworkPolicies and one CiliumNetworkPolicy are created and maintained by APPUiO Cloud:

  1. networkpolicy/syn-internal-set-base: This policy allows system components such as the monitoring stack to connect to the pods.

  2. networkpolicy/syn-set-default-allow-intra-namespace: This policy allows connections between pods in the same namespace.

  3. ciliumnetworkpolicy/syn-internal-set-base: This policy allows system components such as kubelet probes.

APPUiO Cloud automatically reverts any changes made in these policy objects.

If you have the need to customize the default policies, you can remove them and provide your own policies. You can disable the automatic network policy management of APPUiO Cloud by adding labels to a namespace as shown below.

Keeping the system required base policy

This is the recommended setting if you want to customize the default policies.

 
apiVersion: v1
kind: Namespace
metadata:
  labels:
    appuio.io/organization: my-company
    kubernetes.io/metadata.name: my-namespace
    set.network-policies.syn.tools/base: '' (1)
  name: my-namespace
1 Adding this label removes the default intra-namespace policy, but keeps the base policy that allows system components to connect to the pods. This is the recommended setting if you want to customize the default policies.

Removing all policies

It’s highly recommended to keep the base policy that allows system components to connect to the pods.

Base policies might change over time and if you substitute them with your own you might inadvertently break namespace access during future updates.

Unless you’ve already added a network policy on your own this will effectively allow all traffic in and out of the namespace and can be compared to switching off the firewall for the namespace.

 
apiVersion: v1
kind: Namespace
metadata:
  labels:
    appuio.io/organization: my-company
    kubernetes.io/metadata.name: my-namespace
    network-policies.syn.tools/no-defaults: 'true' (1)
  name: my-namespace
1 Adding this label purges all default network policies from the namespace.