From 4e62e36f3ac82dc93e702257835c73219fad8a1f Mon Sep 17 00:00:00 2001
From: Nicolas Marcq <nico.marcq@gmail.com>
Date: Sat, 12 Oct 2024 04:40:20 +0200
Subject: [PATCH] Multus configuration add namespace isolation (#11605)

#11594
---
 docs/CNI/multus.md                                          | 6 ++++++
 roles/network_plugin/multus/defaults/main.yml               | 1 +
 .../network_plugin/multus/templates/multus-daemonset.yml.j2 | 1 +
 3 files changed, 8 insertions(+)

diff --git a/docs/CNI/multus.md b/docs/CNI/multus.md
index 98d7554f8..c08ad6808 100644
--- a/docs/CNI/multus.md
+++ b/docs/CNI/multus.md
@@ -17,6 +17,12 @@ kube_network_plugin_multus: true
 
 will install Multus and Calico and configure Multus to use Calico as the primary network plugin.
 
+Namespace isolation enables a mode where Multus only allows pods to access custom resources (the `NetworkAttachmentDefinitions`) within the namespace where that pod resides. To enable namespace isolation:
+
+```yml
+multus_namespace_isolation: true
+```
+
 ### Cilium compatibility
 
 If you are using `cilium` as the primary CNI you'll have to set `cilium_cni_exclusive` to `false` to avoid cillium reverting multus config.
diff --git a/roles/network_plugin/multus/defaults/main.yml b/roles/network_plugin/multus/defaults/main.yml
index 2ddcc0f1a..a982ba6ba 100644
--- a/roles/network_plugin/multus/defaults/main.yml
+++ b/roles/network_plugin/multus/defaults/main.yml
@@ -7,3 +7,4 @@ multus_cni_conf_dir: "{{ ('/host', multus_cni_conf_dir_host) | join }}"
 multus_cni_bin_dir: "{{ ('/host', multus_cni_bin_dir_host) | join }}"
 multus_cni_run_dir: "{{ ('/host', multus_cni_run_dir_host) | join }}"
 multus_kubeconfig_file_host: "{{ (multus_cni_conf_dir_host, '/multus.d/multus.kubeconfig') | join }}"
+multus_namespace_isolation: false
diff --git a/roles/network_plugin/multus/templates/multus-daemonset.yml.j2 b/roles/network_plugin/multus/templates/multus-daemonset.yml.j2
index 5f22d1bcb..43d1193a9 100644
--- a/roles/network_plugin/multus/templates/multus-daemonset.yml.j2
+++ b/roles/network_plugin/multus/templates/multus-daemonset.yml.j2
@@ -61,6 +61,7 @@ spec:
         - "--cni-bin-dir={{ multus_cni_bin_dir }}"
         - "--multus-conf-file={{ multus_conf_file }}"
         - "--multus-kubeconfig-file-host={{ multus_kubeconfig_file_host }}"
+        - "--namespace-isolation={{ multus_namespace_isolation | string | lower }}"
         resources:
           requests:
             cpu: "100m"