Isolating namespaces and proxies after IBM Cloud Private installation

You can configure namespace and proxy isolation after you install your IBM Cloud Private cluster.

• Enabling namespace and proxy isolation
• Modifying namespace isolation
• Modifying proxy isolation
• Deleting namespace isolation
• Deleting proxy group isolation

Enabling namespace and proxy isolation

1. Add a host group. For more information, see Adding a host group.
2. Update the config.yaml file with the configuration for enabling namespace and proxy isolation. For more information, see Isolating namespaces and proxies during IBM Cloud Private installation.
3. Run the following command to isolate namespaces and proxies:

   sudo docker run --net=host -t -e LICENSE=accept \
   -v "$(pwd)":/installer/cluster ibmcom/icp-inception:3.1.2 env-isolation
   

Modifying namespace isolation

You can change or add namespaces or host groups that are configured for namespace isolation.

1. Update the isolated_namespaces: parameter in the <installation_directory>/cluster/ config.yaml file. For example, change the configuration from isolated_namespaces: [{ namespace: devops, hostgroup: worker-dev }] to isolated_namespaces: [{ namespace: devops, hostgroup: worker-dev-modified }].

2. Run the following command to implement the changes:

   sudo docker run --net=host -t -e LICENSE=accept \
   -v "$(pwd)":/installer/cluster ibmcom/icp-inception:3.1.2 env-isolation
   

   After you run the command, host group for namespace devops is modified to worker-dev-modified in the example.

Modifying proxy isolation

You can change or add namespaces or proxy host groups that are configured for proxy isolation. Complete these steps:

1. Delete the Helm release nginx-ingress-<hostgroup-name>. For more information about deleting a Helm release, see Managing Helm releases.
2. Update the isolated_proxies: parameter in the <installation_directory>/cluster/ config.yaml file.
3. Run the following command to implement the changes:

   sudo docker run --net=host -t -e LICENSE=accept \
   -v "$(pwd)":/installer/cluster ibmcom/icp-inception:3.1.2 env-isolation
   

Deleting namespace isolation

You can delete a namespace isolation. The namespace is not deleted. Only the namespace isolation is deleted.

1. Remove the namespace from the config.yaml file that is in the <installation_directory>/cluster folder. For example, change the configuration from isolated_namespaces: [{namespace: production, hostgroup: worker-prod }] to isolated_namespaces: [{namespace: test, hostgroup: worker-test}].

2. Run the following command to remove the namespace isolation:

   sudo docker run --net=host -t -e LICENSE=accept \
   -v "$(pwd)":/installer/cluster ibmcom/icp-inception:3.1.2 env-isolation
   

   After you run the command, isolation for namespace production is deleted and isolation for namespace test is added.

Deleting proxy group isolation

To delete isolation of a proxy group, complete these steps:

1. Remove the proxy group entry that you want to delete from the isolated_proxies parameter in the config.yaml file. For example, to remove proxy isolation for proxyprod host group, change the configuration from isolated_proxies: [{namespace: devops, hostgroup: proxydev, lb_address: 172.68.20.11}, {namespace: production, hostgroup: proxyprod}] to isolated_proxies: [{namespace: devops, hostgroup: proxydev, lb_address: 172.68.20.11}] in the config.yaml file.

2. Delete the Helm release nginx-ingress-<hostgroup-name>. For more information about deleting a Helm release, see Managing Helm releases.

The proxy host group is not deleted. Only the proxy group isolation is deleted.