Documented tenantPolicies.network.disableIntraTenantNetworking (#191)

Co-authored-by: Karl Johan Grahn <[email protected]>
stakater · Nov 13, 2024 · c5ab886 · c5ab886
1 parent 46680fc
commit c5ab886
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 0 deletions.
diff --git a/content/crds-api-reference/integration-config.md b/content/crds-api-reference/integration-config.md
@@ -125,6 +125,9 @@ spec:
           namespace: ''
       config:
         ssoClient: vault
+  tenantPolicies:
+    network:
+      disableIntraTenantNetworking: true
 ```
 
 Following are the different components that can be used to configure multi-tenancy in a cluster via Multi Tenant Operator.
@@ -605,3 +608,26 @@ components:
 ```
 
 After modifying your default IntegrationConfig in `multi-tenant-operator` namespace, a configmap named `opencost-custom-pricing` will be updated. You will be able to see updated pricing info in `mto-console`.
+
+## TenantPolicies
+
+`tenantPolicies` contains settings to configure additional tenant isolation.
+
+```yaml
+tenantPolicies:
+  network:
+    disableIntraTenantNetworking: true
+```
+
+### Network
+
+Configure how tenants are allowed to communicate
+
+```yaml
+network:
+  disableIntraTenantNetworking: true
+```
+
+- `disableIntraTenantNetworking`: (Default false) Disallow tenants communicating with other tenants by deploying NetworkPolicies.
+
+> ⚠️ This will disable **only** intra-tenant networking. In cases requiring stricter filtering, this setting should be turned off and the stricter NetworkPolicies deployed through [Templates](template.md) or manually. If you need help with your enterprise environment, do not hesitate to [contact us.](https://www.stakater.com/contact-us)
diff --git a/content/explanation/tenant-policies/networking.md b/content/explanation/tenant-policies/networking.md
@@ -0,0 +1,44 @@
+# Networking tenant policies
+
+The networking tenant policies limit how tenants can communicate with each other.
+
+## Disable intra-tenant networking
+
+```yaml title="Integration Configuration"
+apiVersion: v1beta1
+kind: integrationconfigs.tenantoperator.stakater.com
+spec:
+    # other fields...
+    tenantPolicies:
+        network:
+            disableIntraTenantNetworking: true
+```
+
+The flag works by deploying a set of `NetworPolicies` for each tenant which filters incoming traffic coming from another tenants namespace. It allows all other traffic.
+
+The `NetworkPolicy` is as follows:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: disable-intra-tenant-networking-${tenant} # tenant will be substituted for the tenant-name
+  namespace: test # Will be deployed to all the tenants namespaces
+spec:
+  podSelector: {} # The rule selects all pods
+  policyTypes:
+    - Ingress # We only filter incoming traffic
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchExpressions:
+            - key: stakater.com/tenant
+              operator: DoesNotExist
+      - namespaceSelector:
+          matchLabels:
+          stakater.com/tenant: ${tenant}
+```
+
+### Demo
+
+![Disable intra-tenant networking demo](../../images/disableIntraTenantNetworkingDemo.gif)
diff --git a/content/images/disableIntraTenantNetworkingDemo.gif b/content/images/disableIntraTenantNetworkingDemo.gif