Optional: Installing network policies

The BAI operator does not create network policies, but you can use the utility script bai-network-policies.sh to retrieve and install network policy templates to restrict network access.

Before you begin

As a prerequisite to use the bai-network-policies.sh script, you must select the option to generate the network policy templates during the installation. If you want to generate the network policy templates after the installation, you can set the customer source parameter to true.

shared_configuration.sc_generate_sample_network_policies: true

If you chose to generate network policies, wait for the BAI operator to complete generating the sample files in the /tmp/<ns>/network-policies/templates folder inside the BAI operator pod. After you apply the updated custom resource, verify that the deployment status in the BAI custom resource (CR) is Ready before you run the bai-network-policies.sh script in install mode. You can later update or install additional network policies as needed.

Attention: The network policy templates might not work in all environments. You might need to adjust ingress or egress rules to make them work in your environment. For more information, see Configuring cluster security External link opens a new window or tab.

About this task

The bai-network-policies.sh script can be found in the cert-kubernetes-bai repository. The script helps you to install the network policies for your BAI production deployment. For more information about downloading cert-kubernetes-bai, see Preparing a client to connect to the cluster.

The cert-kubernetes/scripts/bai-network-policies.sh script has three modes for a production deployment type:

generate
The generate mode creates the network policy files from the capability templates.
install
The install mode installs the network policies on your cluster.
delete
The delete mode removes the network policies from the BAI operator pod.
Note: The script deletes only the network policies that have templates in the cert-kubernetes-bai/scripts/network-policies/<namespace>/templates folder. Network policies that the Business Automation Insights operator did not generate are ignored.

The following steps must be performed only after you confirm that all components are successfully installed. Check the status section of the applied custom resource file before you start.

sh ./bai-network-policies.sh --help
Usage:
bai-network-policies.sh -m [modeType] -n [bai_namespace]
Options:
  -h  Display help
  -m  Required: The valid mode types are: [generate], [install], [delete]
  -n  Required: The target namespace of the BAI Standalone deployment.
                If BAI Standalone is deployed using separate namespaces for operators and operands/services, the value is the namespace where BAI Standalone operands/services are deployed.
Additional Information:
   STEP 1: Run the script in [generate] mode. This copies the sample network policy templates to folder [cert-kubernetes-bai/scripts/network-policies/<namespace>/templates]
   STEP 2: Review and modify (if needed) the network policy templates based on your cluster environment.
   STEP 3: Apply the network policies in you cluster manually or optionally run the script in [install] mode to apply templates in the path [cert-kubernetes-bai/scripts/network-policies/<namespace>/templates]

Run the script in generate mode to create files in the following structure.

Tip: The folder names match the component names that are defined in the BAI CR.
network-policies
└── <bai-namespace>
    ├── logs
    └── templates
        ├── BAI
        |   └── egress
        |   └── ingress
.....
Attention: If you plan to modify the CR after you installed the network policies, then you must delete the previous network policies and install new network policies by re-running the bai-network-policies.sh script. Always wait for the reconciliation to complete successfully before you run the script again. Confirmation that all the components in the CR are successfully installed can be retrieved by checking the status section of the applied CR file. Each time the network policy files are generated, you also need to re-run the script in the install mode to apply the changes.
Use the following steps to install network policies for your BAI deployment on your cluster.

Procedure

  1. Log in to the cluster as the <cluster-admin> user.

    Using the Red Hat® OpenShift® CLI, run the following command.

    oc login https://<cluster-ip>:<port> -u <cluster-admin> -p <password>

    On ROKS, if you are not already logged in, run the following command.

    oc login --token=<token> --server=https://<cluster-ip>:<port>
    Note: If the deployment is separation of duties then you must use the services/operands namespace
  2. Run the bai-network-policies.sh script in generate mode to copy the network policies from the operators to the network-policies subfolder on the local machine. 
    ./bai-network-policies.sh -m generate -n $NAMESPACE
  3. Use the comments in the sample files to review, modify (if necessary), and complete necessary information. Enter values in all the fields that contain the placeholder value of <Required>.

    The following example shows the comments that are generated in the templates/BAI folder

    # This network policy is for Document Processing backend to communicate to the database(s).
# This network policy is specific to the dc_ca_datasource section of the CR.
# You may adjust the egress' section to fit your requirement.  For example, if your database is container-base and deployed in the same cluster but in a different ns, you may want to try to use
# egress:
#   - to:
#     - podSelector: {}
#       namespaceSelector:
#         matchExpressions:
#           - key: kubernetes.io/metadata.name
#             operator: In
#             values:
#               - "<DB namespace>"
# Below is the sample network policy that based on cidr range.  
# DO NOT modify the podSelector as it may affect the communication. 
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  namespace: "$bai_OPERAND_NAMESPACE"
  name: '$META_NAME-aca-netpol-db'
  labels:
    app.kubernetes.io/name: "$META_NAME-aca"
    app.kubernetes.io/component: "ACA"
    app.kubernetes.io/instance: "$META_NAME-aca"
    app.kubernetes.io/version: "25.0.0"
spec:
  podSelector:
    matchExpressions:
      - key: app.kubernetes.io/name
        operator: In
        values:
          - '$META_NAME-aca'
          - 'ibm-dpe-operator'
  egress:
  - to:
    - ipBlock:
        cidr: "" #<Required> Fill out the database cidr range such as 1.2.3.4/32
    ports:
      - protocol: TCP  
        port: #<Required> Fill out the port number for database

  policyTypes:
  - Egress
  4. Execute the bai-network-policies.sh script in generate mode to copy network policies from the BAI operator to the client machine. 
    sh bai-network-policies.sh -m generate -n $NAMESPACE
  5. Create an environment variable to locate the target BAI namespace (BAI-project). 
    export NAMESPACE=<bai-project>
    Note: If you chose to separate duties of the BAI operators and operands, use the project that you set for the $bai_OPERAND_NAMESPACE.
  6. Run the script in the install mode. 
    ./bai-network-policies.sh -m install -n $NAMESPACE
    Note: If you want to delete the network policies that you generated or if you already have network policies in the namespace and want to reapply a modified version of the network policy templates, then run the bai-network-policies.sh in delete mode before you install the modified version of the network policies.
    sh bai-network-policies.sh -m delete -n $NAMESPACE

Results

If a network policy restriction is in place, the Cloud Pak foundational services might have connectivity issues. For more information, see Installing network policies for foundational services External link opens a new window or tab

What to do next

Some capabilities need you to follow post-deployment steps. For more information, see Completing post-installation tasks.