Document / Implement web-terminal running in projects that have NetworkPolicies

[duritong]

If you deploy the default recommended set of NetworkPolicies (https://docs.openshift.com/container-platform/4.7/networking/network_policy/default-network-policy.html) you won't be able to get the web-terminal working in projects where such network policies apply.

Either you start the web terminal in a project where you do not have network policies (unlikely) or you must ensure, that you have a project that has the right network policies that allow access.

You can do this the following way:

oc label namespace openshift-console network.openshift.io/policy-group=console
cat >01_web_terminal.yaml<<EOF
apiVersion: v1
kind: Namespace
metadata:
  name: "my-web-terminal"
  labels:
    network.openshift.io/policy-group: web-terminal
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: web-terminal-operator 
  namespace: my-web-terminal
spec:
  channel: alpha
  installPlanApproval: Automatic
  name: web-terminal
  source: redhat-operators
  sourceNamespace: openshift-marketplace
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: web-terminal-operator
  namespace: my-web-terminal
spec:
  targetNamespaces: []
EOF
oc apply -f 01_web_terminal.yaml

cat >02_net_pols.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-web-terminal
spec:
  ingress:
    -from:
      -namespaceSelector:
         matchLabels:
           network.openshift.io/policy-group:web-terminal
  podSelector:{}
  policyTypes:
    -Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-console
spec:
  ingress:
    -from:
      -namespaceSelector:
         matchLabels:
           network.openshift.io/policy-group:console
  podSelector:{}
  policyTypes:
    -Ingress
EOF

in the project you like to get your web-terminal running, you'll need to add the additional network policies:

oc apply -f 02_net_pols.yaml

It would be nice if this is documented (e.g. official OCP docs) and if web-terminal also make it out of tech preview the following needs to happen:

• webconsole project needs to get a net-pol label
• operator must install into its own namespace with a label
• document the additional net pols that are required

[sleshchenko]

@duritong Thanks for raising this issue. We also have one on jira https://issues.redhat.com/browse/WTO-102 (see the issue description how to enable connections from openshift-operators namespace)

Also, pay attention that OpenShift Console 4.8 will work only if WTO is installed in openshift-operators namespace. We have an issue to improve it https://issues.redhat.com/browse/WTO-99