Installing network policies for foundational services

If you have a deny-all or allow-same-namespace policy in place, import and install network policies for IBM Cloud Pak foundational services.

Import and install network policies for foundational services to work in the following scenarios:

If you do not use deny-all or allow-same-namespace policy, you do not need to import or install network policies.

For more information, see About network policy in Red Hat® OpenShift® Container Platform documentation.

If the cluster is deployed in the restricted namespace, enable access for the platform-auth-service, platform-identity-provider, and platform-identity-management pods to communicate with LDAP. To enable access for the pods, apply the following custom resources:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-internet-identity-provider
  namespace: <your-foundational-services-namespace>
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
  podSelector:
    matchLabels:
      app: platform-identity-provider
  policyTypes:
  - Egress
status: {}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-internet-identity-management
  namespace: <your-foundational-services-namespace>
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
  podSelector:
    matchLabels:
      app: platform-identity-management
  policyTypes:
  - Egress
status: {}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-internet-auth-service
  namespace: <your-foundational-services-namespace>
spec:
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
  podSelector:
    matchLabels:
      app: platform-auth-service
  policyTypes:
  - Egress
status: {}

Note: Replace <your-foundational-services-namespace> with the namespace where you deployed the foundational services.

Installing network policies

You can install the network policies before or after installing foundational services if required.

  1. Log in to the cluster where you want to install network policies.
  2. Go to the foundational services GitHub repository.
  3. Download the repository.
  4. Run the install_networkpolicy.sh script that is located in the repository to install the network policies on the connected cluster.

    Note: If you install network policies before installing foundational services, the script automatically creates the foundational services namespace. You can also specify a namespace by using the -n or -o option. For more information, see Script options.

Script options

The following parameters can be modified while running the install_networkpolicy.sh script.

Table 1. Script parameters
Parameter Description Default
-n, --namespace The name of the namespace where foundational services operand is installed. Not applicable
-o, --operators-namespace The name of namespace foundational services operator is installed Default is same namespace as operand
-z, --zen-namespace The name of the namespace where the IBM Zen Service aka PlatformUI is installed. Default is same namespace as operand
-u,--uninstall Uninstall foundational services network policies. Not applicable
-h, --help Print information about usage. Not applicable
-c, --cert-manager-namespace The namespace of the IBM Cert Manager. Not applicable
-l, --licensing-namespace The namespace of the IBM License Service. Not applicable

Example: Installing ingress network policies

The following command runs the install_networkpolicy.sh script, and installs the ingress network policies in foundational services operator and operand namespace for IM service, and the IBM Cloud Pak namespace for the Platform UI, IBM Cert Manager, License Service namespaces.

./install_networkpolicy.sh \
    -n <your-foundational-services-operand-namespace> \
    -o <your-foundational-services-operator-namespace>  \
    -z <zen-namespace> \
    -c <cert-manager-namespace> \
    -l <licensing-namespace>

Example: Installing egress network policies

The following command runs the install_networkpolicy.sh script, and installs the egress network policies in foundational services operator and operand namespace for IM service, and the IBM Cloud Pak namespace for Platform UI, IBM Cert Manager, and License Service namespaces.

./install_networkpolicy.sh -e \
    -n <your-foundational-services-operand-namespace> \
    -o <your-foundational-services-operator-namespace>  \
    -z <zen-namespace> \
    -c <cert-manager-namespace> \
    -l <licensing-namespace>

Example: Uninstalling network policies

The following command runs the install_networkpolicy.sh script, and uninstalls the network policies from foundational services operator and operand namespace for the IM service, Platform UI, IBM Cert Manager and License Service namespaces.

./install_networkpolicy.sh -u \
    -n <your-foundational-services-operand-namespace> \
    -o <your-foundational-services-operator-namespace>  \
    -z <zen-namespace> \
    -c <cert-manager-namespace> \
    -l <licensing-namespace>