Creating network policies for IBM watsonx.ai

Create network policies to prevent pods that are started by the caikit operator from communicating with pods in other namespaces. Caikit is a component of IBM watsonx.ai that handles prompt tuning tasks.

Before you begin

The IBM watsonx.ai service must be installed. Only an instance administrator can create network policies.

About this task

Creating network policies is optional. You can choose to create one of the following policies:
caikit-allow-to-apiserver
Limits the IP addresses that the caikit operator can access.
caikit-allow-to-dns
Stops the caikit operator from communicating with namespaces other than the namespace that hosts the IBM watsonx.ai service and the OpenShift® Container Platform domain name server.

Procedure

To create network policies:
To create the caikit-allow-to-apiserver network policy only:
Get the IP addresses for the service and pods that the caikit operator needs to access.
  1. To get the service IP address, use the following command:
    oc get svc -n default
    The response contains the IP address for the service. For example:
    oc get svc -n default
NAME         TYPE           CLUSTER-IP   EXTERNAL-IP       PORT(S)   AGE
kubernetes   ClusterIP      192.0.2.0   <none>             443/TCP   17h
  2. To get the IP addresses for the pods, use the following command:
    oc get ep -n default
    The response contains a list of IP addresses, one for each pod. For example:
    oc get ep -n default
NAME         ENDPOINTS                                            AGE
kubernetes   203.0.113.0:6443,203.0.112.0:6443,203.0.111.0:6443   4h
    Save the IP addresses that are returned.
  3. To create the caikit-allow-to-apiserver network policy, use the following policy definition:
    cat <<EOF | oc apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  namespace: ${PROJECT_CPD_INST_OPERANDS}
  name: caikit-allow-to-apiserver
spec:
  podSelector:
    matchExpressions:
    - key: icpdsupport/app
      operator: In
      values:
      - worker-plane
      - control-plane
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: {IP address range}
    ...
EOF
    List each IP address that you recorded in the previous step in its own ipBlock entry under the to key. For example:
    policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 192.0.2.0/32
    - ipBlock:
        cidr: 203.0.111.0/32
    - ipBlock:
        cidr: 203.0.112.0/32
    - ipBlock:
        cidr: 203.0.113.0/32
To create the caikit-allow-to-dns network policy, edit the following policy definition:
cat <<EOF | oc apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  namespace: ${PROJECT_CPD_INST_OPERANDS}
  name: caikit-allow-to-dns
spec:
  podSelector:
    matchExpressions:
    - key: icpdsupport/app
      operator: In
      values:
      - worker-plane
      - training
      - control-plane
      - inference
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: openshift-dns
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: ${PROJECT_CPD_INST_OPERANDS}
EOF