You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
By default, the `ServiceMeshControlPlane` resource automatically synchronizes the Gateway resources with OpenShift routes. Disabling the automatic route creation allows you more flexibility to control routes if you have a special case or prefer to control routes manually.
{ProductName} automatically creates and manages a number of `NetworkPolicies` resources in the control plane and application namespaces. This is to ensure that applications and the control plane can communicate with each other.
7
+
= Disabling automatic creation of network policies
10
8
11
-
If you want to disable the automatic creation and management of `NetworkPolicies` resources, for example to enforce company security policies, you can do so. You can edit the `ServiceMeshControlPlane` to set the `spec.security.manageNetworkPolicy` setting to `false`
9
+
If you want to disable the automatic creation and management of `NetworkPolicy` resources, for example to enforce company security policies, or to allow direct access to pods in the mesh, you can do so. You can edit the `ServiceMeshControlPlane`and set `spec.security.manageNetworkPolicy` to `false`.
12
10
13
11
[NOTE]
14
12
====
15
13
When you disable `spec.security.manageNetworkPolicy` {ProductName} will not create *any* `NetworkPolicy` objects. The system administrator is responsible for managing the network and fixing any issues this might cause.
16
14
====
17
15
16
+
.Prerequisites
17
+
18
+
* {ProductName} Operator version 2.1.1 or higher installed.
19
+
* `ServiceMeshControlPlane` resource updated to version 2.1 or higher.
20
+
18
21
.Procedure
19
22
20
23
. In the {product-title} web console, click *Operators*->*Installed Operators*.
21
24
22
-
. Select the project where you installed the control plane, for example `istio-system`, from the Project menu.
25
+
. Select the project where you installed the control plane, for example `istio-system`, from the *Project* menu.
23
26
24
27
. Click the {ProductName} Operator. In the *Istio Service Mesh Control Plane* column, click the name of your `ServiceMeshControlPlane`, for example `basic-install`.
{ProductName} automatically creates and manages a number of `NetworkPolicies` resources in the control plane and application namespaces. This is to ensure that applications and the control plane can communicate with each other.
10
+
11
+
For example, if you have configured your {product-title} cluster to use the SDN plug-in, {ProductName} creates a `NetworkPolicy` resource in each member project. This enables ingress to all pods in the mesh from the other mesh members and the control plane. This also restricts ingress to only member projects. If you require ingress from non-member projects, you need to create a `NetworkPolicy` to allow that traffic through. If you remove a namespace from {ProductShortName}, this `NetworkPolicy` resource is deleted from the project.
Copy file name to clipboardExpand all lines: service_mesh/v2x/ossm-traffic-manage.adoc
+6-1Lines changed: 6 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,8 +35,13 @@ OpenShift routes for Istio Gateways are automatically managed in {ProductShortNa
35
35
{ProductName} creates the route with the subdomain, but {product-title} must be configured to enable it. Subdomains, for example `*.domain.com`, are supported but not by default. Configure an {product-title} wildcard policy before configuring a wildcard host Gateway. For more information, see xref:../../networking/ingress-operator.adoc#using-wildcard-routes_configuring-ingress[Using wildcard routes].
0 commit comments