Adding a network policy for Cognos® Analytics

Optional. If you are provisioning a Cognos Analytics instance into a tethered project, you can add a network policy for the instance.

About this task

You must be a cluster administrator to run this procedure.

Complete this procedure before you provision an instance into a tethered project.

For more information about setting up a tethered project, see Tethering projects to the IBM Cloud Pak® for Data control plane.

Procedure

Create a network policy with the following format:
#!/usr/bin/env bash
#
# -----------------------------------------------------------------------------
#         Licensed Materials - Property of IBM
#
#         IBM Cognos Products: ca
#
#         (C) Copyright IBM Corp. 2023
#
#         US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule
# -----------------------------------------------------------------------------
#
#
set -e
#set -x
function usage {
    echo $0: usage: $0 [-h]-n instance_namespace -t comma_separated_list_tethered_namespaces
}
function help {
    usage
    echo "-h                      prints help to the console"
    echo "-t tethered ns          comma separated list of tethered namespaces attached to control plane namespace (required)"
    echo "-n original instance ns original control plane namespace being upgraded (required)"
    echo ""
    exit 0
}
while getopts ":hn:t:" opt; do
     case ${opt} in
     h)
        help
        ;;
     n)
        PROJECT_CPD_INSTANCE=$OPTARG
        ;;
     t)
        PROJECT_CPD_INSTANCE_TETHERED_LIST=$OPTARG
        ;;
     \?)
        usage
        exit 0
        ;;
     esac
done
if [ -z $PROJECT_CPD_INSTANCE_TETHERED_LIST ]; then
        echo "PROJECT_CPD_INSTANCE_TETHERED_LIST must be defined"
        exit 1
fi
if [ -z $PROJECT_CPD_INSTANCE ]; then
        echo "PROJECT_CPD_INSTANCE must be defined"
        exit 1
fi
IFS=","
for v in $PROJECT_CPD_INSTANCE_TETHERED_LIST
do
PROJECT_CPD_INSTANCE_TETHERED=$v
if [ $PROJECT_CPD_INSTANCE_TETHERED == $PROJECT_CPD_INSTANCE ];then
        echo Tethered namespace $PROJECT_CPD_INSTANCE_TETHERED same as control plane namespace $PROJECT_CPD_INSTANCE
        COUNT=`oc get networkpolicy -n $PROJECT_CPD_INSTANCE 2>>/dev/null | wc | awk '{print $1}'`
        echo Current count of network policies in $PROJECT_CPD_INSTANCE is $COUNT
        if [ $COUNT -eq 0 ]; then
                echo "APPLY FOUNDATION SERVICES NETWORK POLICY FIRST"
        fi
        continue
fi
echo "Allow access to specific ports for cognos pods in ${PROJECT_CPD_INSTANCE_TETHERED} from specific pods in ${PROJECT_CPD_INSTANCE} and kube-system"
cat << EOF | oc apply -n ${PROJECT_CPD_INSTANCE_TETHERED} -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: cognos-multi-port-ingress
  namespace: ${PROJECT_CPD_INSTANCE_TETHERED}
  labels:
    component: cognos_analytics
spec:
  podSelector:
    matchLabels:
      release: cognos-analytics
  policyTypes:
    - Ingress
  ingress:
    # Allow requests from ibm-nginx pods in control plane namespace to ports 3010 and 9300
    - from:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: ${PROJECT_CPD_INSTANCE}
        podSelector:
          matchLabels:
            component: ibm-nginx
      ports:
        - port: 9300
          protocol: TCP
        - port: 3010
          protocol: TCP
    # Allow requests from Cognos sp in the control plane namespace to ports 3010 and 9300
    - from:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: ${PROJECT_CPD_INSTANCE}
        podSelector:
          matchLabels:
            component: ca-addon-sp
      ports:
        - port: 9300
          protocol: TCP
        - port: 3010
          protocol: TCP
    # Allow requests from Cognos pods in same namespace on ports 9300, 3010, 5701 and 4300
    - from:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: ${PROJECT_CPD_INSTANCE_TETHERED}
      ports:
        - port: 9300
          protocol: TCP
        - port: 3010
          protocol: TCP
        - port: 5701
          protocol: TCP
        - port: 4300
          protocol: TCP
    # Allow from DNS
    - from:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: kube-system
        podSelector:
          matchLabels:
            k8s-app: kube-dns
      ports:
        - port: 53
          protocol: TCP
        - port: 53
          protocol: UDP
    # Allow from Openshift Ingress
    - from:
      - namespaceSelector:
          matchLabels:
            network.openshift.io/policy-group: ingress
      ports:
        - port: 9300
          protocol: TCP
EOF
echo "Deny access by default to cognos pods in ${PROJECT_CPD_INSTANCE_TETHERED}"
cat << EOF | oc apply -n ${PROJECT_CPD_INSTANCE_TETHERED} -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: cognos-default-deny-all
  namespace: ${PROJECT_CPD_INSTANCE_TETHERED}
  labels:
    component: cognos_analytics
spec:
  podSelector:
    matchLabels:
      release: cognos-analytics
  policyTypes:
  - Ingress
EOF
echo "Allow cognos pods in ${PROJECT_CPD_INSTANCE_TETHERED} access to ibm-nginx in ${PROJECT_CPD_INSTANCE}"
cat << EOF | oc apply -n ${PROJECT_CPD_INSTANCE} -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: cognos-allowed-from-${PROJECT_CPD_INSTANCE_TETHERED}
  namespace: ${PROJECT_CPD_INSTANCE}
  labels:
    component: cognos_analytics
spec:
  policyTypes:
  - Ingress
  podSelector:
    matchLabels:
      component: ibm-nginx
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: ${PROJECT_CPD_INSTANCE_TETHERED}
      podSelector:
        matchLabels:
          release: cognos-analytics
EOF
done