@@ -43,6 +43,31 @@ currently require the following versions _or newer_:
4343If you're using [ Remote IDEs] ( ../environments/editors.md ) , allow pop-ups; Coder
4444launches the Remote IDE in a pop-up window.
4545
46+ ## Network Policies
47+
48+ Coder uses
49+ [ Kubernetes NetworkPolicies] ( https://kubernetes.io/docs/concepts/services-networking/network-policies/ )
50+ to enforce network segmentation and tenant isolation within your cluster.
51+
52+ Coder's network isolation policy blocks all ingress traffic to workspaces except
53+ traffic from the control plane (this ensures that you can audit all traffic).
54+ However, the control plane does not specify egress rules; by default, it allows
55+ outbound traffic. However, you can still enforce a more specific network policy.
56+
57+ [ Container network interface (CNI)] ( https://github.com/containernetworking/cni#what-is-cni )
58+ plugins implement network segmentation and tenant isolation in the Kubernetes
59+ cluster. They enforce network boundaries between pods, preventing users from
60+ accessing other workspaces.
61+
62+ If your container network interface (CNI) plugin does not support NetworkPolicy
63+ enforcement, traffic between workspaces, and other containerized workloads
64+ within the same cluster will be permitted to communicate without restriction.
65+ Consider testing your container networking _ after_ installing Coder to ensure
66+ that the behavior is as expected.
67+
68+ > If you're not sure which CNI plugin, we suggest
69+ > [ Calico] ( https://docs.projectcalico.org/getting-started/kubernetes/quickstart ) .
70+
4671## Licenses
4772
4873The use of Coder deployments requires a license that's emailed to you.
0 commit comments