diff --git a/modules/administration-guide/pages/configuring-network-policies.adoc b/modules/administration-guide/pages/configuring-network-policies.adoc index d5e1b45b72..65a2f7ed9d 100644 --- a/modules/administration-guide/pages/configuring-network-policies.adoc +++ b/modules/administration-guide/pages/configuring-network-policies.adoc @@ -38,12 +38,11 @@ spec: policyTypes: - Ingress ---- -==== -+ <1> The {prod-short} namespace. The default is `{prod-namespace}`. <2> The empty `podSelector` selects all Pods in the {orch-namespace}. - +==== ++ * OPTIONAL: In case you applied link:https://docs.openshift.com/container-platform/{ocp4-ver}/networking/network_policy/multitenant-network-policy.html[Configuring multitenant isolation with network policy], you also must apply `allow-from-openshift-apiserver` and `allow-from-workspaces-namespaces` NetworkPolicies to `{prod-namespace}`. The `allow-from-openshift-apiserver` NetworkPolicy allows incoming traffic from `openshift-apiserver` namespace to the `devworkspace-webhook-server` enabling webhooks. The `allow-from-workspaces-namespaces` NetworkPolicy allows incoming traffic from each user project to `che-gateway` pod. @@ -70,11 +69,10 @@ spec: policyTypes: - Ingress ---- -==== -+ <1> The {prod-short} namespace. The default is `{prod-namespace}`. <2> The `podSelector` only selects devworkspace-webhook-server pods +==== + .`allow-from-workspaces-namespaces.yaml` ==== @@ -86,9 +84,7 @@ metadata: name: allow-from-workspaces-namespaces namespace: {prod-namespace} <1> spec: - podSelector: - matchLabels: - app.kubernetes.io/component: che-gateway <2> + podSelector: {} <2> ingress: - from: - podSelector: {} @@ -98,11 +94,11 @@ spec: policyTypes: - Ingress ---- -==== -+ <1> The {prod-short} namespace. The default is `{prod-namespace}`. -<2> The `podSelector` only selects che-gateway pods +<2> The empty `podSelector` selects all pods in the {prod-short} namespace. +==== ++ .Additional resources * xref:configuring-namespace-provisioning.adoc[]