Event Gateway network configuration

Configure network policies, ingress, and egress settings.

Configuring Event Gateway network policies on a Kubernetes Deployment

The Kubernetes Deployment of the Event Gateway supports configuration of inbound and outbound network policies.

Inbound network connections (ingress):

Network policies are used to control inbound connections to your Event Gateway pod. These connections can be from pods within the cluster, or from external sources.

When you install the Event Gateway, the required network policies are automatically created unless they are disabled through configuration options.

To review the active network policies, run the following command:
kubectl get netpol -n <gateway namespace>
The following table provides information about the network policies that are applicable to the Event Gateway pod.
Note: Not all networking solutions support network policies. Creating NetworkPolicy resources on clusters with solutions that do not support policies has no effect on restricting traffic.
Type Origin Port Reason Enabled in policy
TCP Anywhere 8092 Kafka client communication Always
Note: To stop the automatic deployment of the Event Gateway's network policy, set spec.deployNetworkPolicies in the Event Gateway Kubernetes Deployment YAML to false.

Considerations for ingress:

Consider the use of a deny-all-ingress network policy to limit communication with all pods in a namespace to only those communications specifically allowed in network policies. A deny-all network policy is not created by default as it would interfere with other applications that are installed in the namespace that do not have the required network policies set to allow inbound communications.

To create a deny-all-ingress network policy, apply the following YAML to your cluster in the namespaces where you installed Event Gateways.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress

Ingress default settings

If you are not running on Red Hat OpenShift, the following ingress defaults are set unless overridden:
  • class: The ingress class name is set by default to nginx. Set the class field on endpoints to use a different ingress class.

  • annotations: The following annotations are set by default on generated ingress endpoints:
      ingress.kubernetes.io/ssl-passthrough: 'true'
      nginx.ingress.kubernetes.io/backend-protocol: HTTPS
      nginx.ingress.kubernetes.io/ssl-passthrough: 'true'
    
Ingress annotations can be overridden by specifying an alternative set of annotations on an endpoint. The following code snippet is an example of overriding the annotations set on a gateway endpoint ingress.
   spec:
     listeners:
       - name: <listener-name>
         groups:
         - name: <group-name>
           endpoint:
             host: my-gateway.example.com
             annotations:
               some.annotation.foo: "true"
               some.other.annotation: value

Outbound network connections (egress)

The following table provides information about the outbound network connections (egress) initiated by the Event Gateway pods.
Note: Egress policies are not added by default. Configure the egress policies based on your requirements.
Type Destination Pod Label Port Reason
TCP Event Endpoint Management eem.ei.ibm.com/component=<INSTANCE_NAME> 3000 Registering with Event Endpoint Management
TCP Kafka   User Supplied Configuring gateway for Kafka