There are two scripts housed here.
- A script for blocking all ingress/egress on all deployments within an openshift cluster using NetworkPolicies
- A script to allow all ingress/egress again by removing afformentioned network policies
- These scripts will work on any OpenShift cluster regardless of cloud provider (we have tested on Azure and AWS)
These scripts filter on namespaces beginning with kube or openshift so the api server remains accessible to undo the applied NPs
- An environment in which to simulate a network fault
- this may be a single cluster, or a single cluster in a clusterset with a failover cluster
- the kubeadmin login credentials for the afformentioned cluster
- Replace the
$username,$passwordand$apiurlin both the deny_traffic.sh and allow_traffic.sh scripts with the credentials of the cluster you wish to simulate a fault on. - Delete all of the YAML files in the ./yaml directory.
- If you wish to select namespaces to be excluded from the policy add them to line 34 as an
|| [[ $project = <'condition'>* ]]if condition. - Run the 'deny_traffic.sh' script by executing
sh deny_traffic.shin your terminal.
This should take approximately 20-30 seconds to run, but this varies greatly with the number of namespaces on your cluster
-
Once this script is finished executing, all ingress and egress traffic will be blocked for all pods that are not whitelisted in the deny_traffic.sh script. Routes should be entirely unavailable.
-
The YAML files for the applied network policy will be visible in the ./yaml directory should you wish to modify/view them (i.e. to allow or deny specific addresses or ports).
- To undo these network policies and allow ingress/egress to all pods in the cluster run
sh allow_traffic.shfrom your terminal.
If you applied filters to your deny_traffic.sh script you may want to apply these same filters to your allow_traffic.sh script to avoid the unintended removal of any deny_traffic network policies.