Skip to content

automationiberia/ocp-anp-banp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
manifests
manifests
 
 
scripts
scripts
 
 
README.md
README.md
 
 

Repository files navigation

Demo NetworkPolicies vs AdminNetworkPolicies on OpenShift

This repository contains automation and manifests to deploy multiple test applications (webmirinda-X) across namespaces and validate NetworkPolicy and AdminNetworkPolicy behavior in OpenShift with OVN-Kubernetes.

Repository Structure

  • scripts/

    • .create-ns-app.sh Creates multiple namespaces (mirinda-1 … mirinda-N) with the label company=rh, deploys a demo httpd app (webmirinda-X) and applies a NetworkPolicy on each of those namespaces. The NetworkPolicy allows ingress/egress traffic only between namespaces labeled company=rh. Finally the script creates the namespace (amador) and deploys the same httpd application, but does not add the label company=rh

    • test-connectivity.sh Helper script to:

      • Gather ACL and Logical_Flow counts from an ovnkube-node pod.
      • Run curl-based connectivity tests between pods in ALLOWED_NS (mirinda-1, mirinda-2) and BLOCKED_NS (amador).
      • Validate that traffic is allowed/denied according to applied policies.

  • manifests/

    • admin-networkpolicy.yaml Example AdminNetworkPolicy affecting namespaces with the label company=rh. This policy: allows ingress traffic from namespaces labeled company=rh and blocks any other ingress traffic; allows egress traffic to namespaces labeled company=rh; allows egress traffic to the internal Openshift DNS resolver; denies any other egress traffic.

    • networkpolicy.yaml Standard NetworkPolicy that allows ingress and egress only from/to namespaces labeled company=rh.

Usage

1. Deploy demo apps

By default, the script creates X namespaces (mirinda-1 … mirinda-5):

sh ./scripts/create-ns-app.sh

This will:

  • Create projects mirinda-1 … mirinda-5 and amador
  • Deploy webmirinda-X apps (based on UBI9 httpd)
  • Apply the NetworkPolicy (enable-company-rh)
  • Create the blocked amador project
  • Deploy the webcliamador app (based on UBI9 httpd)

2. Test connectivity with NetworkPolicies

After deployment, run:

sh ./scripts/test-connectivity.sh

This will:

  • Show OVN ACL and Logical Flow counts from an ovnkube-node pod 
    == Información de OVN al inicio ===
Número de ACLs:
310
Número de Logical_Flow UUIDs:
1572
===================================
  • Test connectivity between:
    • Allowed namespaces (mirinda-1, mirinda-2) → should succeed ✅
    • Allowed → Blocked (mirinda-* → amador) → should fail ❌
    • Blocked → Allowed (amador → mirinda-*) → should fail ❌

3. Test connectivity with NetworkAdmPolicies

Make sure all NetworkPolicies are deleted:

for x in $(oc get ns  | grep 'mirinda-'|awk '{print $1}'); do oc delete networkpolicy enable-company-rh -n $x; done

Apply the AdminNetworkPolicy, which has a similar effect to the previous network policies:

oc apply -f manifests/admin-networkpolicy.yaml

Run the connectivity tests again.

./scripts/test-connectivity.sh

The tests results should be the same as before, but the number of ACLs should be significantly reduced:

  • Show OVN ACL and Logical Flow counts from an ovnkube-node pod 
    == Información de OVN al inicio ===
Número de ACLs:
70
Número de Logical_Flow UUIDs:
1103
===================================
  • Test connectivity between:
    • Allowed namespaces (mirinda-1, mirinda-2) → should succeed ✅
    • Allowed → Blocked (mirinda-* → amador) → should fail ❌
    • Blocked → Allowed (amador → mirinda-*) → should fail ❌

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages