PaaS FAQ

How do I delete a project deployed to PaaS completely?

This is done by removal of the entire namespace in Kubernetes. Currently this has to be done by a PaaS administrator in the Platon team. Contact us on Teams or Slack and we will help you.

How do I get my service on `<service name>.sikt.no` instead of `<service name>.paas2.uninett.no`?

A CNAME DNS record need to be created pointing to the PaaS cluster Ingress Load Balancer. Send a request to hjelp@sikt.no with information about the desired DNS entries, example for service my-service.sikt.no with a CNAME record:

my-service.sikt.no -> paas2-ingress.lb.uninett.no

Then configure your .gitlab-ci.yml to use the new DNS entry. Example of how to set this when using our helper scripts for PaaS deployment:

variables:
  KUBE_PROD_DOMAIN: my-service.sikt.no
  KUBE_TEST_ID: my-service

Note that when using deploy component, the staging deployment will still be on:

my-service-staging.paas2.uninett.no

How to give new members added to a Gitlab Project access the projects namespace in the PaaS cluster?

To update namespace access you need to go to PaaS Console and click the big blue "update pipeline configuration" button after adding or removing members in your Gitlab project.

Automatic syncing of this is on Platons TODO list.

Can I run a cronjob in PaaS?

Yes, this can be done using the CronJob resource.

See CronJob Example Project for a simple example deployment.

How can I restrict access to my web service to certain IP ranges?

This can be done using the whitelist-source-range on your Ingress resource.

Example:

nginx.ingress.kubernetes.io/whitelist-source-range: '192.168.0.0/24,10.0.0.0/24'

See IP-adresser i Sikts lokalnett for an overview of Sikt network addresses.

How to send email from a container running in the PaaS cluster?

See Sending email from servers and PaaS.

How can I block egress traffic in my namespace

In the project namespaces, a default NetworkPolicy exists which denies all ingress traffic (incoming traffic) while permitting all egress traffic (outgoing traffic). If you wish to block all egress traffic as well, you should remove the lines that authorize it, as illustrated in the below.

Change the default policy from:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default
  namespace: my-project-namespace
spec:
  egress:
  - {}
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

to:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default
  namespace: my-project-namespace
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

This will result in all egress traffic also being blocked.

If you require more detailed or complex traffic policy rules, it's advisable to place these in distinct NetworkPolicy resources, rather than adding them to the default NetworkPolicy. This approach ensures better organization and easier management of your network policies.

How do I delete a project deployed to PaaS completely?​

How do I get my service on <service name>.sikt.no instead of <service name>.paas2.uninett.no?

How to give new members added to a Gitlab Project access the projects namespace in the PaaS cluster?​

Can I run a cronjob in PaaS?​

How can I restrict access to my web service to certain IP ranges?​

How to send email from a container running in the PaaS cluster?​

How can I block egress traffic in my namespace​