Installing network policies for foundational services

If you have a deny-all or allow-same-namespace policy in place, import and install network policies for IBM Cloud Pak foundational services.

Import and install network policies for foundational services to work in the following scenarios:

If you do not use deny-all or allow-same-namespace policy, you do not need to import or install network policies.

For more information, see About network policy in Red Hat® OpenShift® Container Platform documentation.

Installing network policies

You can install the network policies before or after installing foundational services if required.

  1. Log in to the cluster where you want to install network policies.
  2. Go to the foundational services GitHub repository.
  3. Download the repository.
  4. Run the install_networkpolicy.sh script that is located in the repository to install the network policies on the connected cluster.

    Note: If you install network policies before installing foundational services, the script automatically creates the foundational services namespace. You can also specify a namespace by using the -n or -o option. For more information, see Script options.

Script options

The following parameters can be modified while running the install_networkpolicy.sh script.

Table 1. Script parameters
Parameter Description Default
-n, --namespace The name of the namespace where foundational services operand is installed. Not applicable
-o, --operators-namespace The name of namespace foundational services operator is installed Default is same namespace as operand
-z, --zen-namespace The name of the namespace where the IBM Zen Service aka PlatformUI is installed. Default is same namespace as operand
-u,--uninstall Uninstall foundational services network policies. Not applicable
-h, --help Print information about usage. Not applicable
-c, --cert-manager-namespace The namespace of the IBM Cert Manager. Not applicable
-l, --licensing-namespace The namespace of the IBM License Service. Not applicable
-lsr, --licensing-svc-reporter-namespace The namespace of the IBM License Service. Not applicable

Example: Installing ingress network policies

The following command runs the install_networkpolicy.sh script, and installs the ingress network policies in the following namespaces: foundational services operator and operand namespace for IM service, the IBM Cloud Pak namespace for Platform UI, IBM Cert Manager namespace, License Service namespace and License Service Reporter namespace.

./install_networkpolicy.sh -e \
    -n <your-foundational-services-operand-namespace> \
    -o <your-foundational-services-operator-namespace>  \
    -z <zen-namespace> \
    -c <cert-manager-namespace> \
    -l <licensing-namespace> \
    -lsr <licensing-svc-reporter-namespace>

Example: Installing egress network policies

The following command runs the install_networkpolicy.sh script, and installs the egress network policies in the following namespaces: foundational services operator and operand namespace for IM service, the IBM Cloud Pak namespace for Platform UI, IBM Cert Manager namespace, License Service namespace and License Service Reporter namespace.

./install_networkpolicy.sh -e \
    -n <your-foundational-services-operand-namespace> \
    -o <your-foundational-services-operator-namespace>  \
    -z <zen-namespace> \
    -c <cert-manager-namespace> \
    -l <licensing-namespace> \
    -lsr <licensing-svc-reporter-namespace>

Example: Uninstalling network policies

The following command runs the install_networkpolicy.sh script, and uninstalls the network policies from the following namespaces: foundational services operator and operand namespace for IM service, the IBM Cloud Pak namespace for Platform UI, IBM Cert Manager namespace, License Service namespace and License Service Reporter namespace.

./install_networkpolicy.sh -u \
    -n <your-foundational-services-operand-namespace> \
    -o <your-foundational-services-operator-namespace>  \
    -z <zen-namespace> \
    -c <cert-manager-namespace> \
    -l <licensing-namespace> \
    -lsr <licensing-svc-reporter-namespace>