Installing network policies for foundational services
If you have a deny-all
or allow-same-namespace
policy in place, import and install network policies for IBM Cloud Pak foundational services.
Import and install network policies for foundational services to work in the following scenarios:
- If you have the
deny-all
policy in place, the ingress traffic to all pods is not allowed. - If the cluster has
allow-same-namespace
policy in place, the communication between the pods across namespaces can be blocked.
If you do not use deny-all
or allow-same-namespace
policy, you do not need to import or install network policies.
For more information, see About network policy in Red Hat® OpenShift® Container Platform documentation.
Installing network policies
You can install the network policies before or after installing foundational services if required.
- Log in to the cluster where you want to install network policies.
- Go to the foundational services GitHub repository.
- Download the repository.
-
Run the
install_networkpolicy.sh
script that is located in the repository to install the network policies on the connected cluster.Note: If you install network policies before installing foundational services, the script automatically creates the foundational services namespace. You can also specify a namespace by using the
-n
or-o
option. For more information, see Script options.
Script options
The following parameters can be modified while running the install_networkpolicy.sh
script.
Parameter | Description | Default |
---|---|---|
-n, --namespace |
The name of the namespace where foundational services operand is installed. | Not applicable |
-o, --operators-namespace |
The name of namespace foundational services operator is installed | Default is same namespace as operand |
-z, --zen-namespace |
The name of the namespace where the IBM Zen Service aka PlatformUI is installed. | Default is same namespace as operand |
-u,--uninstall |
Uninstall foundational services network policies. | Not applicable |
-h, --help |
Print information about usage. | Not applicable |
-c, --cert-manager-namespace |
The namespace of the IBM Cert Manager. | Not applicable |
-l, --licensing-namespace |
The namespace of the IBM License Service. | Not applicable |
-lsr, --licensing-svc-reporter-namespace |
The namespace of the IBM License Service. | Not applicable |
Example: Installing ingress network policies
The following command runs the install_networkpolicy.sh
script, and installs the ingress network policies in the following namespaces: foundational services operator and operand namespace for IM service, the IBM Cloud Pak namespace
for Platform UI, IBM Cert Manager namespace, License Service namespace and License Service Reporter namespace.
./install_networkpolicy.sh -e \
-n <your-foundational-services-operand-namespace> \
-o <your-foundational-services-operator-namespace> \
-z <zen-namespace> \
-c <cert-manager-namespace> \
-l <licensing-namespace> \
-lsr <licensing-svc-reporter-namespace>
Example: Installing egress network policies
The following command runs the install_networkpolicy.sh
script, and installs the egress network policies in the following namespaces: foundational services operator and operand namespace for IM service, the IBM Cloud Pak namespace for
Platform UI, IBM Cert Manager namespace, License Service namespace and License Service Reporter namespace.
./install_networkpolicy.sh -e \
-n <your-foundational-services-operand-namespace> \
-o <your-foundational-services-operator-namespace> \
-z <zen-namespace> \
-c <cert-manager-namespace> \
-l <licensing-namespace> \
-lsr <licensing-svc-reporter-namespace>
Example: Uninstalling network policies
The following command runs the install_networkpolicy.sh
script, and uninstalls the network policies from the following namespaces: foundational services operator and operand namespace for IM service, the IBM Cloud Pak namespace for
Platform UI, IBM Cert Manager namespace, License Service namespace and License Service Reporter namespace.
./install_networkpolicy.sh -u \
-n <your-foundational-services-operand-namespace> \
-o <your-foundational-services-operator-namespace> \
-z <zen-namespace> \
-c <cert-manager-namespace> \
-l <licensing-namespace> \
-lsr <licensing-svc-reporter-namespace>