netpol: add changelog entry about breaking change - labels now needed

jupyterhub · Oct 17, 2020 · 92c57b7 · 92c57b7
1 parent 9391a29
commit 92c57b7
Showing 1 changed file with 23 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,17 +16,35 @@ Here you can find upgrade changes in between releases and upgrade instructions.
   known to be needed, with the exception of the user pods outgoing
   communication, where all outgoing communication is allowed by default.
 
-  Note that these network policies only influence network communication in a
+  Note that these NetworkPolicies only influence network communication in a
   Kubernetes cluster if a NetworkPolicy controller enforce them, such as Calico.
 
-  With network policies enabled, you may require additional configuration,
-  especially for deployments that include additional components that access
-  JupyterHub pods directly (i.e. not through the `proxy-public` service).
-
   See the [security
   documentation](https://zero-to-jupyterhub.readthedocs.io/en/latest/administrator/security.html#kubernetes-network-policies)
   for more details on this.
 
+- The
+  [NetworkPolicy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
+  created for the Helm chart's proxy pod is now correctly blocking incoming
+  traffic to it from other pods unless they are from a namespace that is
+  labelled with `hub.jupyter.org/network-access-proxy-http: "true"` or from a
+  pod with that label. This means that if your incoming traffic doesn't directly
+  comes from the proxy-public service which is configured as `type:
+  LoadBalancer` but through some other pod in your k8s cluster, you must either
+  label the namespace or the pod with
+  `hub.jupyter.org/network-access-proxy-http: "true"`.
+
+  So if you for example have deployed the
+  [ingress-nginx](https://kubernetes.github.io/ingress-nginx) Helm chart to
+  proxy traffic towards the JupyterHub proxy, then you can configure that Helm
+  chart like this if this Helm chart's NetworkPolicies are created and enforced.
+
+  ```
+  controller:
+    podLabels:
+      hub.jupyter.org/network-access-proxy-http: "true"
+  ```
+
 ## [0.9]
 
 ### [0.9.0] - 2020-04-15