How to Allow access to mongo from a workspace in v4.x
In Domino 4.x, by default we deploy Kubernetes Network Policies to restrict access to internal components. This causes old scripts that were written in 3.x that read directly from mongo to fail.
In order to re-enable this, you'll need to edit the "mongodb-replicaset" network policy in kubernetes, under your domino platform namespace. The default policy spec would look something like this (might differ based on version)
spec: podSelector: matchLabels: app.kubernetes.io/instance: mongodb-replicaset app.kubernetes.io/name: mongodb-replicaset ingress: - ports: - protocol: TCP port: 27017 from: - podSelector: matchLabels: mongodb-replicaset-client: 'true' - podSelector: matchLabels: app.kubernetes.io/instance: mongodb-replicaset app.kubernetes.io/name: mongodb-replicaset - ports: - protocol: TCP port: 9216 from: - podSelector: matchLabels: app.kubernetes.io/name: prometheus policyTypes: - Ingress
In order to enable access for all workflows on a given hardware tier ("ADMIN" for example), add another ingress rule to this list that looks like:
- ports: - protocol: TCP port: 27017 from: - podSelector: matchLabels: dominodatalab.com/hardware-tier-id: ADMIN namespaceSelector: matchLabels: domino-compute: 'true'
Some notes on this:
- A new rule is required for every different tier
- Mongo is isolated for security reasons. It is not recommended to open this up to a wide audience, keep it only for specific use cases
- Depending on your version of domino, you may not have the " domino-compute: true" label attached to your compute namespace. If not, you'll have to add in this label to the namespace