This section describes how to enable project network isolation.

After enabling project network isolation, pods in the current project cannot be accessed by pods from other projects, other node host environments, or any network segments outside the cluster.

Enabling project network isolation does not restrict egress traffic by default, but you can choose whether to restrict it. After restricting egress traffic, pods in the current project will not be able to access other projects and can only access resources within the current project.

However, when project network isolation (including egress traffic restriction) is enabled, you can add a whitelist to allow specific projects, services, network segments, or ports to communicate with pods in the current project.

Prerequisites

  • You need to join a project and have the Project Network Isolation Management permission in the project. For more information, see Project Members and Project Roles.

  • The KubeSphere Network extension must be installed in the cluster to which the project belongs.

Steps

  1. Log in to the KubeSphere web console with a user who has Project Network Isolation Management permissions and enter your workspace.

  2. Click Service Network > Project Network Isolation in the left navigation pane.

  3. Select a project from the drop-down list in the upper left corner of the page.

  4. (Optional) After checking Egress Traffic Restriction, the project will not be able to access other projects.

  5. Click the switch on the right to enable or disable project network isolation.

    Note

    After enabling "Project Network Isolation", you cannot enable or disable "Egress Traffic Restriction". You need to disable "Project Network Isolation" first, then check/uncheck "Egress Traffic Restriction".