How to Allow access to mongo from a workspace in v4.x

vaibhav.dhawanvaibhav.dhawan Member, Administrator, Moderator, Domino Posts: 6 admin

In Domino 4.x, by default we deploy Kubernetes Network Policies to restrict access to internal components. This causes old scripts that were written in 3.x that read directly from mongo to fail.

In order to re-enable this, you'll need to edit the "mongodb-replicaset" network policy in kubernetes, under your domino platform namespace. The default policy spec would look something like this (might differ based on version)

spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/instance: mongodb-replicaset
      app.kubernetes.io/name: mongodb-replicaset
  ingress:
    - ports:
        - protocol: TCP
          port: 27017
      from:
        - podSelector:
            matchLabels:
              mongodb-replicaset-client: 'true'
        - podSelector:
            matchLabels:
              app.kubernetes.io/instance: mongodb-replicaset
              app.kubernetes.io/name: mongodb-replicaset
    - ports:
        - protocol: TCP
          port: 9216
      from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/name: prometheus
  policyTypes:
    - Ingress


In order to enable access for all workflows on a given hardware tier ("ADMIN" for example), add another ingress rule to this list that looks like:

    - ports:
        - protocol: TCP
          port: 27017
      from:
        - podSelector:
            matchLabels:
              dominodatalab.com/hardware-tier-id: ADMIN
          namespaceSelector:
            matchLabels:
              domino-compute: 'true'


Some notes on this:

  • A new rule is required for every different tier
  • Mongo is isolated for security reasons. It is not recommended to open this up to a wide audience, keep it only for specific use cases
  • Depending on your version of domino, you may not have the " domino-compute: true" label attached to your compute namespace. If not, you'll have to add in this label to the namespace
Tagged:
Sign In or Register to comment.