Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!
Starting with MOSK 25.2, the MOSK documentation set will cover all product layers, including MOSK management (formerly MCC). This means everything you need will be in one place. The separate MCC documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.
StackLight rules for Kubernetes network policies¶
Available since Cluster releases 17.0.1 and 16.0.1
The Kubernetes NetworkPolicy resource allows controlling network connections to and from Pods within a cluster. This enhances security by restricting communication from compromised Pod applications and provides transparency into how applications communicate with each other.
Network Policies are enabled by default in StackLight using the
networkPolicies
parameter. For configuration details, see
Kubernetes network policies.
The following table contains general network policy rules applied to StackLight components:
Network policy rule |
Component |
---|---|
Deny all ingress for Pods not expecting incoming traffic (including Prometheus scrape) |
|
Deny all egress for Pods not expecting outgoing traffic |
|
Allow all ingress for Pods that can be exposed through load balancers |
|
Allow all egress for Pods connecting to outside world or external APIs (Kubernetes, Docker, Keycloak, OpenStack) |
|
Allow DNS traffic from all Pods specifying communication endpoints of other StackLight workloads. |
|
The following exceptions apply to the StackLight network policy rules:
Because Prometheus Node Exporter uses the host network, the allow-all rule applies to both ingress and egress that is the no-op placeholder.
Due to dynamically created scrape configurations, the allow-all rule applies to egress for Prometheus Server.