Red Hat OpenShift VM Micro-segmentation Using MultiNetworkPolicy

OpenShift Virtualization allows virtual machines (VMs) to run natively on Kubernetes alongside container workloads. Using Multus CNI, VMs can attach to secondary networks such as VLAN-backed networks to communicate directly with the physical network infrastructure.

MultiNetworkPolicy extends Kubernetes Network Policy functionality to these secondary networks, enabling administrators to implement workload-level micro segmentation and enforce granular traffic control for virtual machines and pods.

The solution provides:–

• VM-level micro segmentation
  
• Least-privilege network access
  
• Kubernetes-native policy enforcement
  
• OVN-Kubernetes distributed ACL enforcement
  
• North-south traffic control
  
• East-west traffic isolation capabilities
  

Important Prerequisites:-

1. Secondary Network Must Use OVN-Kubernetes

MultiNetworkPolicy is supported only with OVN-Kubernetes secondary networks.

If the secondary network is created using Linux bridge, MultiNetworkPolicy not supported.

2. Enable MultiNetworkPolicy on OpenShift Cluster

Enable MultiNetworkPolicy support cluster-wide:

oc patch networks.operator.openshift.io cluster –type=merge -p ‘

spec:

useMultiNetworkPolicy: true

‘

User Story

As a virtual machine administrator, I want virtual machines connected to a secondary VLAN network (vlan20-net) to allow only approved application traffic (TCP/80) for both ingress and egress communication while blocking all other traffic, so that workloads are securely isolated and only authorized communication is permitted.

Important Note

By default, OpenShift Virtualization VMs connected to secondary networks do not have any MultiNetworkPolicy applied.

Without a policy:

• All ingress traffic is allowed
  
• All egress traffic is allowed
  
• Any reachable port/service remains accessible
  

The virtual machine vm1 was successfully deployed and connected to the secondary VLAN network (vlan20-net). After the VM was up and running, both the Apache HTTP server (httpd) and Cockpit management service were installed and enabled.

From the jump box located outside the OpenShift cluster, I was able to access both the Cockpit management console on port 9090 and the Apache HTTP service on port 80 running on the vm1 virtual machine.

Since no MultiNetworkPolicy was applied at that stage, all inbound and outbound traffic was allowed by default on the secondary network, making the VM services externally reachable without any restrictions.

Let’s create a MultiNetworkPolicy to block all traffic by default and allow only the required application ports. You can also download the sample policy YAML file from the Git repository provided below and customize it based on your environment and security requirements.

https://github.com/Dineshk1205/MultiNetworkPolicy.git

Apply network policy file.

oc apply -f policy.yaml

The policy was applied successfully. You can also validate the policy configuration from the OpenShift web console UI or CLI . In addition to CLI-based management, MultiNetworkPolicy objects can also be created and managed directly through the OpenShift UI.

After applying the policy, only the HTTP service running on port 80 remained accessible. Access to the Cockpit service on port 9090, along with all other inbound and outbound traffic, was successfully blocked based on the MultiNetworkPolicy rules.