Installing network policies for foundational services

Edit online

If you have a deny-all or allow-same-namespace policy in place, import and install network policies for IBM Cloud Pak foundational services.

Import and install network policies for foundational services to work in the following scenarios:

  • If you have the deny-all policy in place, the ingress traffic to all pods is not allowed.
  • If the cluster has allow-same-namespace policy in place, the communication between the pods across namespaces can be blocked.

If you do not use deny-all or allow-same-namespace policy, you do not need to import or install network policies.

For more information, see About network policy in Red Hat® OpenShift® Container Platform documentation.

Installing network policies

Edit online

You can install the network policies before or after installing foundational services if required.

  1. Log in to the cluster where you want to install network policies.

  2. Download the scripts and go to the installer_scripts directory. For more information, see Downloading scripts for additional configuration from specific version CASE bundle. Go to your downloaded installer_scripts/cp3-networkpolicy directory:

    cd ${installer_scripts}/cp3-networkpolicy

  3. Run the install_networkpolicy.sh script to install the network policies.

    Note: If you install network policies before installing foundational services, the script automatically creates the foundational services namespace. You can also specify a namespace by using the -n or -o option. For more information, see Script options.

Script options

Edit online

The following parameters can be modified while running the install_networkpolicy.sh script.

Table 1. Script parameters
Parameter Description Default
-n, --namespace Specify the namespace where the foundational services operand is installed.
-o, --operators-namespace Specify the namespace foundational services operator is installed Default is same namespace as operand.
-z, --zen-namespace Specify the namespace where the IBM Zen Service aka PlatformUI is installed. Default is same namespace as operand.
-u,--uninstall Uninstall foundational services network policies. Not applicable
-h, --help Print information about usage. Not applicable
-c, --cert-manager-namespace Specify the Cert Manager namespace if you installed Cert Manager.
-l, --licensing-namespace Specify the License Service namespace if you installed License Service.
-lsr, --licensing-svc-reporter-namespace Specify the License Service Reporter namespace if you installed License Service Reporter.
-flink, --flink-namespace Specify the IBM Flink namespace if you installed IBM Flink.
-opensearch, --opensearch-namespace Specify the IBM Opensearch namespace if you installed IBM Opensearch.
-e, --egress Install egress network policies. Not applicable

Example: Installing ingress network policies

Edit online

The following command runs the install_networkpolicy.sh script, and installs the ingress network policies in the following namespaces: foundational services operator and operand namespace for IM service, the IBM Cloud Pak namespace for Platform UI, IBM Cert Manager namespace, License Service namespace, License Service Reporter namespace, IBM Flink namespace, and IBM Opensearch namespace.

./install_networkpolicy.sh \
    -n <your-foundational-services-operand-namespace> \
    -o <your-foundational-services-operator-namespace>  \
    -z <zen-namespace> \
    -c <cert-manager-namespace> \
    -l <licensing-namespace> \
    -lsr <licensing-svc-reporter-namespace> \
    -flink <flink-namespace> \
    -opensearch <opensearch-namespace>

Example: Installing egress network policies

Edit online

The following command runs the install_networkpolicy.sh script, and installs the egress network policies in the following namespaces: foundational services operator and operand namespace for IM service, the IBM Cloud Pak namespace for Platform UI, IBM Cert Manager namespace, License Service namespace, License Service Reporter namespace, IBM Flink namespace, and IBM Opensearch namespace.

./install_networkpolicy.sh -e \
    -n <your-foundational-services-operand-namespace> \
    -o <your-foundational-services-operator-namespace>  \
    -z <zen-namespace> \
    -c <cert-manager-namespace> \
    -l <licensing-namespace> \
    -lsr <licensing-svc-reporter-namespace> \
    -flink <flink-namespace> \
    -opensearch <opensearch-namespace>

Example: Uninstalling network policies

Edit online

The following command runs the install_networkpolicy.sh script, and uninstalls the network policies from the following namespaces: foundational services operator and operand namespace for IM service, the IBM Cloud Pak namespace for Platform UI, IBM Cert Manager namespace, License Service namespace, License Service Reporter namespace, IBM Flink namespace, and IBM Opensearch namespace.

./install_networkpolicy.sh -u \
    -n <your-foundational-services-operand-namespace> \
    -o <your-foundational-services-operator-namespace>  \
    -z <zen-namespace> \
    -c <cert-manager-namespace> \
    -l <licensing-namespace> \
    -lsr <licensing-svc-reporter-namespace> \
    -flink <flink-namespace> \
    -opensearch <opensearch-namespace>