Build locally

make docker-build

Push to quay.io

make docker-push

This is a cluster-level operator that you can deploy in any namespace, microsegmentation-operator is recommended.

oc new-project microsegmentation-operator

Deploy the cluster resources. Given that a number of elevated permissions are required to resources at a cluster scope the account you are currently logged in must have elevated rights.

oc apply -f deploy/

OpenShift implements v1 of NetworkPolicy : so egress rules, ipblock are not implemeneted by the default openshift-sdn.

The microsegmentation operator allows to create NetworkPolicies rules starting from Namespaces and/or Services.

This feature is activated by this annotation: microsegmentation-operator.redhat-cop.io/microsegmentation: "true".

oc annotate namespace test microsegmentation-operator.redhat-cop.io/microsegmentation='true'
# AND/OR
oc annotate service test-service microsegmentation-operator.redhat-cop.io/microsegmentation='true'

NetworkPolicy can be controlled by annotation Namespace and/or Service. If you wish to disable or delete NetworkPolicy, set the annotation to false.

By default when enabled a deny-by-default NetworkPolicy is applied (secure by default). This is equivalent to the following policy:

oc apply -f - <<'EOF'
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: deny-by-default
spec:
  podSelector:
  ingress: []
EOF

You would then layer other policy into your namespace to allow traffic as follows in the next sections. Namespace and Port/Protocol network policy are created as separate NetworkPolicy objects.

The Namespace annotation controls access from other namespaces using annotations and namespace labels. Normal users can be restricted from editing namespaces (but will normally have self-service admin/edit access to services) within a cluster.

Example ingress policy:

 - ingress
   - from:
     - namespaceSelector:
         matchLabels:
           key1: value1
   - from:
     - namespaceSelector:
         matchLabels:
           key2: value2

Port/Protocol NetworkPolicy controls access to ports and protocols described on the service using annotations.

The NetworkPolicy object can be tweaked with the following additional annotations:

Inbound/outbound ports are AND 'ed with corresponding inbound/outbound pod label selectors.

It should be relatively common to use the additional-inbound-ports annotation to model those situation where a pod exposes a port that should not be load balanced.

If inbound-pod-labels annotation is used, this selects matching pods along with the additional-inbound-ports.

See test directory for an example.

oc apply -f test/simple-microsegmentation.yaml

Execute the following steps to develop the functionality locally. It is recommended that development be done using a cluster with cluster-admin permissions.

Clone the repository, then resolve all dependencies using dep:

dep ensure

Using the operator-sdk, run the operator locally:

operator-sdk up local --namespace "test" --verbose

Use delve debugger

operator-sdk up local --namespace "test" --verbose --enable-delve

With a remote debug launch.json in vscode:

    {
      "name": "Launch remote",
      "type": "go",
      "request": "launch",
      "mode": "remote",
      "port": 2345,
      "host": "127.0.0.1",
      "remotePath": "",
      "program": "${workspaceFolder}/build/_output/bin/microsegmentation-operator-local",
      "trace": "log",
      "env": {
        "GOPATH": "/usr/bin/go",
        "WATCH_NAMESPACE": "test"
      }
    }