This section describes how to enable workspace network isolation.

After enabling workspace network isolation, pods belonging to that workspace cannot be accessed by clients outside the workspace, nor by clients outside the cluster to which they belong.

Enabling workspace network isolation does not restrict outbound traffic by default, but you can choose whether to restrict it. After restricting outbound traffic, the workspace will not be able to access other workspaces and can only access resources within the current workspace.

However, when workspace network isolation (including outbound traffic restriction) is enabled, you can add a whitelist to allow specific projects, services, network segments, or ports to communicate with pods in a project within the workspace.

Prerequisites

  • You need to join a workspace and have the Workspace Network Isolation Management permission in the workspace. For more information, see Workspace Members and Workspace Roles.

  • The cluster to which the workspace belongs needs to have the KubeSphere Network extension installed.

Steps

  1. Log in to the KubeSphere web console with a user who has Workspace Network Isolation Management permissions and enter your workspace.

  2. Click Service Network > Workspace Network Isolation in the left navigation pane.

  3. (Optional) After checking Outbound Traffic Restriction, the workspace will not be able to access other workspaces.

  4. Click the switch on the right to enable or disable workspace network isolation.

    Note

    After enabling "Workspace Network Isolation", you cannot enable or disable "Outbound Traffic Restriction". You need to disable "Workspace Network Isolation" first, then check/uncheck "Outbound Traffic Restriction".