Adding a network policy for Cognos® Analytics
Optional. If you are provisioning a Cognos Analytics instance into a tethered project, you can add a network policy for the instance.
About this task
You must be a cluster administrator to run this procedure.
Complete this procedure before you provision an instance into a tethered project.
For more information about setting up a tethered project, see Tethering projects to the IBM Cloud Pak® for Data control plane.
Procedure
Create a network policy with the following format:
#!/usr/bin/env bash
#
# -----------------------------------------------------------------------------
# Licensed Materials - Property of IBM
#
# IBM Cognos Products: ca
#
# (C) Copyright IBM Corp. 2023
#
# US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule
# -----------------------------------------------------------------------------
#
#
set -e
#set -x
function usage {
echo $0: usage: $0 [-h]-n instance_namespace -t comma_separated_list_tethered_namespaces
}
function help {
usage
echo "-h prints help to the console"
echo "-t tethered ns comma separated list of tethered namespaces attached to control plane namespace (required)"
echo "-n original instance ns original control plane namespace being upgraded (required)"
echo ""
exit 0
}
while getopts ":hn:t:" opt; do
case ${opt} in
h)
help
;;
n)
PROJECT_CPD_INSTANCE=$OPTARG
;;
t)
PROJECT_CPD_INSTANCE_TETHERED_LIST=$OPTARG
;;
\?)
usage
exit 0
;;
esac
done
if [ -z $PROJECT_CPD_INSTANCE_TETHERED_LIST ]; then
echo "PROJECT_CPD_INSTANCE_TETHERED_LIST must be defined"
exit 1
fi
if [ -z $PROJECT_CPD_INSTANCE ]; then
echo "PROJECT_CPD_INSTANCE must be defined"
exit 1
fi
IFS=","
for v in $PROJECT_CPD_INSTANCE_TETHERED_LIST
do
PROJECT_CPD_INSTANCE_TETHERED=$v
if [ $PROJECT_CPD_INSTANCE_TETHERED == $PROJECT_CPD_INSTANCE ];then
echo Tethered namespace $PROJECT_CPD_INSTANCE_TETHERED same as control plane namespace $PROJECT_CPD_INSTANCE
COUNT=`oc get networkpolicy -n $PROJECT_CPD_INSTANCE 2>>/dev/null | wc | awk '{print $1}'`
echo Current count of network policies in $PROJECT_CPD_INSTANCE is $COUNT
if [ $COUNT -eq 0 ]; then
echo "APPLY FOUNDATION SERVICES NETWORK POLICY FIRST"
fi
continue
fi
echo "Allow access to specific ports for cognos pods in ${PROJECT_CPD_INSTANCE_TETHERED} from specific pods in ${PROJECT_CPD_INSTANCE} and kube-system"
cat << EOF | oc apply -n ${PROJECT_CPD_INSTANCE_TETHERED} -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cognos-multi-port-ingress
namespace: ${PROJECT_CPD_INSTANCE_TETHERED}
labels:
component: cognos_analytics
spec:
podSelector:
matchLabels:
release: cognos-analytics
policyTypes:
- Ingress
ingress:
# Allow requests from ibm-nginx pods in control plane namespace to ports 3010 and 9300
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ${PROJECT_CPD_INSTANCE}
podSelector:
matchLabels:
component: ibm-nginx
ports:
- port: 9300
protocol: TCP
- port: 3010
protocol: TCP
# Allow requests from Cognos sp in the control plane namespace to ports 3010 and 9300
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ${PROJECT_CPD_INSTANCE}
podSelector:
matchLabels:
component: ca-addon-sp
ports:
- port: 9300
protocol: TCP
- port: 3010
protocol: TCP
# Allow requests from Cognos pods in same namespace on ports 9300, 3010, 5701 and 4300
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ${PROJECT_CPD_INSTANCE_TETHERED}
ports:
- port: 9300
protocol: TCP
- port: 3010
protocol: TCP
- port: 5701
protocol: TCP
- port: 4300
protocol: TCP
# Allow from DNS
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
# Allow from Openshift Ingress
- from:
- namespaceSelector:
matchLabels:
network.openshift.io/policy-group: ingress
ports:
- port: 9300
protocol: TCP
EOF
echo "Deny access by default to cognos pods in ${PROJECT_CPD_INSTANCE_TETHERED}"
cat << EOF | oc apply -n ${PROJECT_CPD_INSTANCE_TETHERED} -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cognos-default-deny-all
namespace: ${PROJECT_CPD_INSTANCE_TETHERED}
labels:
component: cognos_analytics
spec:
podSelector:
matchLabels:
release: cognos-analytics
policyTypes:
- Ingress
EOF
echo "Allow cognos pods in ${PROJECT_CPD_INSTANCE_TETHERED} access to ibm-nginx in ${PROJECT_CPD_INSTANCE}"
cat << EOF | oc apply -n ${PROJECT_CPD_INSTANCE} -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cognos-allowed-from-${PROJECT_CPD_INSTANCE_TETHERED}
namespace: ${PROJECT_CPD_INSTANCE}
labels:
component: cognos_analytics
spec:
policyTypes:
- Ingress
podSelector:
matchLabels:
component: ibm-nginx
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ${PROJECT_CPD_INSTANCE_TETHERED}
podSelector:
matchLabels:
release: cognos-analytics
EOF
done