Viewing a network policy

As a user with the admin role, you can view a network policy for a namespace.

Viewing network policies

You can examine the network policies in a namespace.

If you log in with a user with the cluster-admin role, then you can view any network policy in the cluster.

Prerequisites

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with admin privileges.

  • You are working in the namespace where the network policy exists.

Procedure

  • List network policies in a namespace:

    • To view network policy objects defined in a namespace, enter the following command:

      1. $ oc get networkpolicy

    • Optional: To examine a specific network policy, enter the following command:

      1. $ oc describe networkpolicy <policy_name> -n <namespace>

      where:

      <policy_name>

      Specifies the name of the network policy to inspect.

      <namespace>

      Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

      For example:

      1. $ oc describe networkpolicy allow-same-namespace

      Output for oc describe command

      1. Name:         allow-same-namespace
      2. Namespace:    ns1
      3. Created on:   2021-05-24 22:28:56 -0400 EDT
      4. Labels:       <none>
      5. Annotations:  <none>
      6. Spec:
      7.   PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
      8.   Allowing ingress traffic:
      9.     To Port: <any> (traffic allowed to all ports)
      10.     From:
      11.       PodSelector: <none>
      12.   Not affecting egress traffic
      13.   Policy Types: Ingress

If you log in to the web console with cluster-admin privileges, you have a choice of viewing a network policy in any namespace in the cluster directly in YAML or from a form in the web console.

Example NetworkPolicy object

The following annotates an example NetworkPolicy object:

  1. kind: NetworkPolicy
  2. apiVersion: networking.k8s.io/v1
  3. metadata:
  4.   name: allow-27107 (1)
  5. spec:
  6.   podSelector: (2)
  7.     matchLabels:
  8.       app: mongodb
  9.   ingress:
  10.   - from:
  11.     - podSelector: (3)
  12.         matchLabels:
  13.           app: app
  14.     ports: (4)
  15.     - protocol: TCP
  16.       port: 27017
1The name of the NetworkPolicy object.
2A selector that describes the pods to which the policy applies. The policy object can only select pods in the project that defines the NetworkPolicy object.
3A selector that matches the pods from which the policy object allows ingress traffic. The selector matches pods in the same namespace as the NetworkPolicy.
4A list of one or more destination ports on which to accept traffic.