Configuring network policies
NetworkPolicies are an application-centric construct which specify how a Pod is allowed to communicate with various network ingress and egress endpoints or services over the network.
The entities that a Pod can communicate with are identified through a combination of the following 3 identifiers:
- Other Pods that are allowed (exception: a Pod cannot block access to itself).
- Namespaces that are allowed.
- IP blocks (exception: traffic to and from the node where a Pod is running is always allowed, regardless of the IP address of the Pod or the node).
When defining a NetworkPolicy based on a Pod or a namespace, a selector (Labels and Selectors) is used to specify what traffic is allowed to and from the Pod(s) that match the selector. Meanwhile, when IP based NetworkPolicies are created, policies are defined based on IP blocks (CIDR ranges). For more information on network policies, you can refer to Kubernetes documentation (kubernetes.io/docs/concepts/services-networking/network-policies/).
Out of the box Network Policies
For Certified Container deployments, few default network policies are created out of the box as per mandatory security guidelines. By default, all ingress and egress traffic are denied with few additional policies to allow communication within cluster and on ports configured in the helm charts configuration.
Additionally, custom ingress and egress policies can be configured in values.yaml to allow traffic from and to specific external service endpoints.
- Deny all ingress traffic.
- Allow ingress traffic from all Pods in the current namespace in the cluster.
- Allow ingress traffic on the additional configured ports in helm values.
- Deny all egress traffic.
- Allow egress traffic within the cluster.
Defining Custom Network Policies
You can enable (default) or disable deployment for out of the box ingress and egress network policies at the global level using the helm charts configuration. You can also configure custom network policies using the “networkPolicies” configuration section if you want those policies to be deployed and managed as part of the Certified Container deployment. Network policies could also be added externally using Kubernetes or OpenShift command line or user interfaces.
While defining custom policies using the Certified Container configuration, the policies could be added either at the global level (applicable to all application Pods) or at individual deployment level for all ASI, AC or API Pods. You can add multiple custom policies to the networkPolicies.ingress.customPolicies or networkPolicies.egress.customPolicies configuration array:
networkPolicies: ingress: enabled: true customPolicies: #- name: # fromSelectors: # - namespaceSelector: # matchLabels: # name: my-source-namespace # podSelector: # matchLabels: # app.kubernetes.io/name: my-consumer-pod # - podSelector: # matchLabels: # role: frontend # - ipBlock: # cidr: <IP Address>/<block size> # except: # - <IP Address>/<block size> # ports: # - protocol: TCP # port: 8443 # endPort: 8450 egress: enabled: true customPolicies: #- name: # toSelectors: # - namespaceSelector: # matchLabels: # name: my-source-namespace # podSelector: # matchLabels: # app.kubernetes.io/name: my-consumer-pod # - podSelector: # matchLabels: # role: frontend # - ipBlock: # cidr: <IP Address>/<block size> # except: # - <IP Address>/<block size> # ports: # - protocol: TCP # port: 8443 # endPort: 8450
- podSelector: Selects particular Pods in the same namespace as the NetworkPolicy which should be allowed as ingress sources or egress destinations.
- namespaceSelector: Selects particular namespaces for which all or Pods selected by the Pod selector should be allowed as ingress sources or egress destinations.
- ipBlock: Selects particular IP CIDR ranges to allow as ingress sources or egress destinations. These should be cluster-external IPs, since Pod IPs are ephemeral and unpredictable.
- Port: Selects individual ports or a port range using the endPort config.