Restricting network traffic to IBM CICS TX in containers

You can define network policies to restrict traffic to pods in your cluster in OpenShift Container Platform and Kubernetes. This topic describes some considerations for how network policies can apply to IBM CICS TX.

For network ingress to a CICS TX region, there are several ports to consider:

Port 1435 for connecting to region’s listener
Port 3270 for cicsteld
Port 9087 for metrics collection
Port 9443 for admin console
Port 2379 for the controller (applies only to CICS TX Standard version)

Network egress is more complex. Examples of network egress which you might want to consider:

Other CICS TS / CICS TX regions
Connecting to CICS TX Standard Controller (applies only to CICS TX Standard version)

Example ingress NetworkPolicy

The following is an example network policy to control ingress for a CICS TX region called mycicstx, for use on Red Hat OpenShift Container Platform.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: mycicstx
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/instance: mycicstx
  ingress:
    # Allow access to CICS TX region’s listener from anywhere
    - ports:
        - protocol: TCP
          port: 1435
    # Allow access to cicsteld for connecting via 3270 terminals
      ports:
        - protocol: TCP
          port: 3270
    # Allow access to metrics collection
      ports:
        - protocol: TCP
          port: 9087
    # Allow access to admin console
      ports:
        - protocol: TCP
          port: 9443
    # Allow access to controller (applies only to CICS TX Standard Version)
      ports:
        - protocol: TCP
          port: 2379