Configuring Network Policies
NetworkPolicies are an application-centric construct which specify how a Pod is allowed to communicate with various network ingress and egress endpoints or services over the network.
The entities that a Pod can communicate with are identified through a combination of the following 3 identifiers:
- Other Pods that are allowed (exception: a Pod cannot block access to itself).
- Namespaces that are allowed.
- IP blocks (exception: traffic to and from the node where a Pod is running is always allowed, regardless of the IP address of the Pod or the node).
When defining a NetworkPolicy based on a Pod or a namespace, a selector (Labels and Selectors) is used to specify what traffic is allowed to and from the Pod(s) that match the selector. Meanwhile, when IP based NetworkPolicies are created, policies are defined based on IP blocks (CIDR ranges). For more information on network policies, you can refer to Kubernetes documentation (kubernetes.io/docs/concepts/services-networking/network-policies/).
Out of the box Network Policies
For Container deployments, few default network policies are created out of the box as per mandatory security guidelines. By default, all ingress and egress traffic are denied with few additional policies to allow communication within cluster and on ports configured in the helm charts configuration.
Additionally, custom ingress and egress policies can be configured in values.yaml to allow traffic from and to specific external service endpoints.
By default, all ingress and egress traffic from or to external services are denied. You will need to create custom network policies to allow ingress and egress traffic from or to services outside of the cluster, such as a database, MQ, protocol adapter endpoints, any other third-party service integration, and so on.
Out of the box Ingress policies:
- Deny all ingress traffic.
- Allow ingress traffic from all Pods in the current namespace in the cluster.
- Allow ingress traffic on the additional configured ports in helm values.
Out of the box Egress policies:
- Deny all egress traffic.
- Allow egress traffic within the cluster.
Defining Custom Network Policies
You can configure the following ingress.yaml and
egress.yaml files.
ingress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ibm-sccm-ingress-deny-all
labels:
app.kubernetes.io/name: ibm-sccm
app.kubernetes.io/instance: ibm-sccm
release: ibm-sccm
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: ibm-sccm
app.kubernetes.io/instance: ibm-sccm
release: ibm-sccm
policyTypes:
- Ingress
ingress: []
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ibm-sccm-ingress-allow-ns
labels:
app.kubernetes.io/name: ibm-sccm
app.kubernetes.io/instance: ibm-sccm
release: ibm-sccm
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: ibm-sccm
app.kubernetes.io/instance: ibm-sccm
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
release: ibm-sccm
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ibm-sccm-ingress-custom
labels:
app.kubernetes.io/name: ibm-sccm
app.kubernetes.io/instance: ibm-sccm
release: ibm-sccm
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: ibm-sccm
app.kubernetes.io/instance: ibm-sccm
policyTypes:
- Ingress
ingress:
- from: []
ports:
- protocol: TCP
port: 58080 #<port value given in httpPort in configmap>
- protocol: TCP
port: 58082 #<port value given in webHttpPort in configmap >
- protocol: TCP
port: 58081 #<port value given in httpsPort in configmap>
- protocol: TCP
port: 58083 #<port value given in webHttpsPort in configmap >
egress.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ibm-sccm-egress-deny-all
labels:
app.kubernetes.io/name: ibm-sccm
app.kubernetes.io/instance: ibm-sccm
release: ibm-sccm
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: ibm-sccm
app.kubernetes.io/instance: ibm-sccm
policyTypes:
- Egress
egress: []
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ibm-sccm-egress-allow-ns
labels:
app.kubernetes.io/name: ibm-sccm
app.kubernetes.io/instance: ibm-sccm
release: ibm-sccm
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: ibm-sccm
app.kubernetes.io/instance: ibm-sccm
policyTypes:
- Egress
egress:
- to:
- namespaceSelector: {}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ibm-sccm-egress-custom
labels:
app.kubernetes.io/name: ibm-sccm
app.kubernetes.io/instance: ibm-sccm
release: ibm-sccm
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: ibm-sccm
app.kubernetes.io/instance: ibm-sccm
policyTypes:
- Egress
egress:
- to:
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
Configuration options:
- podSelector: Selects particular Pods in the same namespace as the NetworkPolicy which should be allowed as ingress sources or egress destinations.
- namespaceSelector: Selects particular namespaces for which all or Pods selected by the Pod selector should be allowed as ingress sources or egress destinations.
- ipBlock: Selects particular IP CIDR ranges to allow as ingress sources or egress destinations. These should be cluster-external IPs, since Pod IPs are ephemeral and unpredictable.
- Port: Selects individual ports or a port range using the endPort config.