Event Gateway network configuration
Configure network policies, ingress, and egress settings.
Configuring Event Gateway network policies on a Kubernetes Deployment
The Kubernetes Deployment of the Event Gateway supports configuration of inbound and outbound network policies.
Inbound network connections (ingress):
Network policies are used to control inbound connections to your Event Gateway pod. These connections can be from pods within the cluster, or from external sources.
When you install the Event Gateway, the required network policies are automatically created unless they are disabled through configuration options.
kubectl get netpol -n <gateway namespace>
NetworkPolicy resources on clusters with solutions that do not
support policies has no effect on restricting traffic.| Type | Origin | Port | Reason | Enabled in policy |
|---|---|---|---|---|
| TCP | Anywhere | 8092 | Kafka client communication | Always |
spec.deployNetworkPolicies in the Event Gateway Kubernetes Deployment YAML to false.Considerations for ingress:
Consider the use of a deny-all-ingress network policy to limit communication with all pods in a namespace to only those communications specifically allowed in network policies. A deny-all network policy is not created by default as it would interfere with other applications that are installed in the namespace that do not have the required network policies set to allow inbound communications.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
Ingress default settings
-
class: The ingress class name is set by default tonginx. Set theclassfield on endpoints to use a different ingress class. -
annotations: The following annotations are set by default on generated ingress endpoints:ingress.kubernetes.io/ssl-passthrough: 'true' nginx.ingress.kubernetes.io/backend-protocol: HTTPS nginx.ingress.kubernetes.io/ssl-passthrough: 'true'
spec:
listeners:
- name: <listener-name>
groups:
- name: <group-name>
endpoint:
host: my-gateway.example.com
annotations:
some.annotation.foo: "true"
some.other.annotation: value
Outbound network connections (egress)
| Type | Destination | Pod Label | Port | Reason |
|---|---|---|---|---|
| TCP | Event Endpoint Management | eem.ei.ibm.com/component=<INSTANCE_NAME> | 3000 | Registering with Event Endpoint Management |
| TCP | Kafka | User Supplied | Configuring gateway for Kafka |