Restricting network traffic for CICS Transaction Gateway containers

In your cluster in the OpenShift® Container Platform and Kubernetes, you can define network policies to restrict traffic to CICS® TG pods. In your namespace if you have no network policies, then by default, all ingress and egress traffic is allowed to and from the pods in that namespace.

To efficiently handle the incoming traffic and network policies for requests to CICS TG, you can use a TCP load-balanced ingress controller in your Kubernetes cluster.

Consider the following ports to configure the TCP-based ingress controller to handle requests to CICS TG:

TCP Port defined in TCPHandler protocol@tcp.handler=com.ibm.ctg.server.TCPHandler, the default port is 2006.
SSL Port defined in protocol@ssl.handler = com.ibm.ctg.server.SslHandler, the default port is 8050.

When you configure CICS TG for Webservice applications, opt for an HTTP or HTTPS-based ingress controller and add the port as needed.

By default, the CICS TG pod is nonisolated for egress and all IPIC outbound connections to CICS regions are allowed. Depending on your CICS server connection from your pod, you might need to consider the network policies for the egress controller.

For a sample network policy, see Network policies for CICS TG in containers.