Configuring the network policy

To strengthen the security of your deployments, you can restrict Internet access by applying some rules to individual pods or groups of pods.

About this task

When you install a release of Operational Decision Manager, the default network policy is to allow all outgoing communication (egress) and only the incoming communication (ingress) between pods of the same release instance, as shown in the following code snippets.

For Decision Center:

spec:
  podSelector:
    matchLabels:
      run: <release-name>-odm-decisioncenter
  ingress:
    - ports:
        - protocol: TCP
          port: 9453
  egress:
    - {}
  policyTypes:
    - Ingress
    - Egress

For Decision Runner:

spec:
  podSelector:
    matchLabels:
      run: <release-name>-odm-decisionrunner
  ingress:
    - ports:
        - protocol: TCP
          port: 9443
    - from:
        - podSelector:
            matchLabels:
              run: <release-name>-odm-decisioncenter
        - podSelector:
            matchLabels:
              run: <release-name>-odm-decisionserverconsole
  egress:
    - {}
  policyTypes:
    - Ingress
    - Egress

For Decision Server Console:

spec:
  podSelector:
    matchLabels:
      run: <release-name>-odm-decisionserverconsole
  ingress:
    - ports:
        - protocol: TCP
          port: 9443
        - protocol: TCP
          port: 1883
    - from:
        - podSelector:
            matchLabels:
              run: <release-name>-odm-decisioncenter
        - podSelector:
            matchLabels:
              run: <release-name>-odm-decisionrunner
        - podSelector:
            matchLabels:
              run: <release-name>-odm-decisionserverruntime
  egress:
    - {}
  policyTypes:
    - Ingress
    - Egress

For Decision Server Runtime:

spec:
  podSelector:
    matchLabels:
      run: <release-name>-odm-decisionserverruntime
  ingress:
    - ports:
        - protocol: TCP
          port: 9443
    - from:
        - podSelector:
            matchLabels:
              run: <release-name>-odm-decisionserverconsole
  egress:
    - {}
  policyTypes:
    - Ingress
    - Egress

Procedure

Note: The following steps take place when you configure the custom resource (CR) file.

Here is how you can configure a different network policy for your ingress and egress traffic.

Disable the default network policy.

odm_configuration:
  networkPolicy:
    enable: false

Override the egress and ingress settings as needed with the following parameters.

odm_configuration:
  decisionCenter:
    networkPolicy:        
      #Specify the Decision Center egress network policy.        
      egress:        
      #Specify the Decision Center ingress network policy.        
      ingress:

  decisionRunner:
    networkPolicy: 
      #Specify the Decision Runner egress network policy. 
      egress: 
      #Specify the Decision Runner ingress network policy. 
      ingress:

  decisionServerConsole:
    networkPolicy: 
      #Specify the Decision Server Console egress network policy. 
      egress: 
      #Specify the Decision Server Console ingress network policy. 
      ingress:

  decisionServerRuntime: 
    networkPolicy: 
      #Specify the Decision Server runtime egress network policy. 
      egress: 
      #Specify the Decision Server runtime ingress network policy. 
      ingress:

  networkPolicy:      
    #Specify the Overall Components egress network policy.      
    egress:      
    # Specify the Overall Components ingress network policy.      
    ingress:

For example, to disable Internet access for all ODM pods, you have to:

Authorize the communication of the pods with the OpenShift DNS for DNS resolution.

- ports:
        - protocol: UDP
          port: 5353
        - protocol: TCP
          port: 5353
      to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: openshift-dns

Authorize the communication of the pods with the Decision Center and Decision Server databases by using ip.

- ports:
        - protocol: TCP
          port: <DC_DATABASE_PORT>
        - protocol: TCP
          port: <DS_DATABASE_PORT>
      to:
        - ipBlock:
            cidr: <DC_DATABASE_IP>/32
        - ipBlock:
            cidr: <DS_DATABASE_IP>/32

Authorize the communication between the ODM pods inside the namespace and with at least the Zen NGINX pods.

- ports:
        - protocol: TCP
          port: 12443  # Zen service port
        - protocol: TCP
          port: 9443   # DS service port
        - protocol: TCP
          port: 9453   # DC service port
      to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: <CR_NAME>

The new network policy will be similar to the following code example:

odm_configuration:
  networkPolicy:      
    #Specify the Overall Components egress network policy.      
    egress:
    - ports:
        - protocol: TCP
          port: <DC_DATABASE_PORT>
        - protocol: TCP
          port: <DS_DATABASE_PORT>
        - protocol: UDP
          port: 5353
        - protocol: TCP
          port: 5353
        - protocol: TCP
          port: 12443  # Zen service port
        - protocol: TCP
          port: 9443   # DS service port
        - protocol: TCP
          port: 9453   # DC service port
      to:
        - ipBlock:
            cidr: <DC_DATABASE_IP>/32
        - ipBlock:
            cidr: <DS_DATABASE_IP>/32
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: <CR_NAME>
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: openshift-dns

After applying the CR, test that no other outside communication works from an ODM pod.

For example, try to reach www.google.com
```
oc exec <ODM_POD_NAME> -- curl -s -o /dev/null -w "%{http_code}" www.google.com 
```
It should fail.