Network policies for CICS TG in containers
You can define network policies to restrict traffic to pods in your cluster in OpenShift® Container Platform and Kubernetes. In your namespace if you have no network policies defined, then by default, all ingress and egress traffic is allowed to and from the pods in that namespace. Learn a few considerations for how network policies can apply to CICS® Transaction Gateway (CICS TG).
For network ingress, there are several ports to consider:
- Port 2811 for connecting to local administration. See Administering CICS Transaction Gateway for Multiplatforms container.
- Port 2006 for connecting to CICS TG daemon. See TCP protocol parameters.
- Port 8050 for SSL connections. See Configuring SSL.
- For CICS TG for Webservice applications, opt for an HTTP or HTTPS-based ingress controller and add the port as needed.
- For samples, see Sample CICS TG deployment.
- For additional information, see Restricting network traffic for CICS Transaction Gateway containers.
Network egress is more complex. By default, the CICS TG pod is non-isolated for egress and all IPIC outbound connections to CICS regions are allowed. Depending on your CICS server connection from your pod, you might need to consider the network policies for the egress controller.
Example ingress NetworkPolicy
The following is an example network policy to control ingress for a CICS TG called mycicstg, for use on Red Hat®
OpenShift Container
Platform.
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: mycicstg
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: mycicstg
ingress:
# Allow access to CICS TG from anywhere
- ports:
- protocol: TCP
port: 2006
# Allow access to local administration console
ports:
- protocol: TCP