Configuring Network Policies

NetworkPolicies are an application-centric construct which specify how a Pod is allowed to communicate with various network ingress and egress endpoints or services over the network.

The entities that a Pod can communicate with are identified through a combination of the following 3 identifiers:

  1. Other Pods that are allowed (exception: a Pod cannot block access to itself).
  2. Namespaces that are allowed.
  3. IP blocks (exception: traffic to and from the node where a Pod is running is always allowed, regardless of the IP address of the Pod or the node).

When defining a NetworkPolicy based on a Pod or a namespace, a selector (Labels and Selectors) is used to specify what traffic is allowed to and from the Pod(s) that match the selector. Meanwhile, when IP based NetworkPolicies are created, policies are defined based on IP blocks (CIDR ranges). For more information on network policies, you can refer to Kubernetes documentation (kubernetes.io/docs/concepts/services-networking/network-policies/).

Note: Network policies are implemented by the cluster network plugin. To use network policies, you must be using a networking solution which supports NetworkPolicy for ingress and egress. Red Hat OpenShift uses OpenShift SDN as the default container network interface plugin which has partial support for network policies. It does not support egress rules and some IP block rules. The default network policies have been qualified with OVN-Kubernetes network plugin. For more information, see Network Plugins.

Out of the box Network Policies

For Container deployments, few default network policies are created out of the box as per mandatory security guidelines. By default, all ingress and egress traffic are denied with few additional policies to allow communication within cluster and on ports configured in the helm charts configuration.

Additionally, custom ingress and egress policies can be configured in values.yaml to allow traffic from and to specific external service endpoints.

Note:

By default, all ingress and egress traffic from or to external services are denied. You will need to create custom network policies to allow ingress and egress traffic from or to services outside of the cluster, such as a database, MQ, protocol adapter endpoints, any other third-party service integration, and so on.

Out of the box Ingress policies:

  • Deny all ingress traffic.
  • Allow ingress traffic from all Pods in the current namespace in the cluster.
  • Allow ingress traffic on the additional configured ports in helm values.

Out of the box Egress policies:

  • Deny all egress traffic.
  • Allow egress traffic within the cluster.

Defining Custom Network Policies

You can enable (default) or disable deployment for out of the box ingress and egress network policies at the global level using the helm charts configuration. You can also configure custom network policies using the networkPolicy configuration section if you want those policies to be deployed and managed as part of the Certified Container deployment. Network policies could also be added externally using Kubernetes or OpenShift command line or user interfaces.

You can add multiple custom policies to the networkPolicy.ingress.fromSelectors or networkPolicy.ingress.ports or networkPolicy.egress.toSelectors or networkPolicy.egress.ports configuration array.

networkPolicy:
  # apply ingress rule. Default allow all ingress traffic
  ingress:
    enabled: false
  #  fromSelectors:
  #  - namespaceSelector:
  #      matchLabels:
  #        name: <namespace>
  #    podSelector:
  #      matchLabels:
  #        app.kubernetes.io/instance: "<Release Name>"
  #  - podSelector:
  #      matchLabels:
  #        app.kubernetes.io/name: "ibm-sccm"
  #  - ipBlock:
  #      cidr: <IP Address>/<block size>
  #      except:
  #      - <IP Address>/<block size>
  #  ports:
  #   - protocol: TCP
  #     port: 58083
  #     endPort: 58083
 
  #apply egress rule. Default allow all egress traffic
  egress: 
    enabled: false
  #  ports:
  #    - port: 1433
  #      protocol: TCP
  #    - port: 50000
  #      protocol: TCP
 
  #  toSelectors:
  #  - ipBlock:
  #      cidr: <IP Address>/<block size>
  #      except:
  #      - <IP Address>/<block size>
  #  - namespaceSelector:
  #      matchLabels:
  #        name: <namespace>
  #    podSelector:
  #      matchLabels:
  #        app.kubernetes.io/instance: "<Release Name>"
  #  - podSelector:
  #      matchLabels:
  #        app.kubernetes.io/name: "ibm-sccm"

Configuration options:

  • podSelector: Selects particular Pods in the same namespace as the NetworkPolicy which should be allowed as ingress sources or egress destinations.
  • namespaceSelector: Selects particular namespaces for which all or Pods selected by the Pod selector should be allowed as ingress sources or egress destinations.
  • ipBlock: Selects particular IP CIDR ranges to allow as ingress sources or egress destinations. These should be cluster-external IPs, since Pod IPs are ephemeral and unpredictable.
  • Port: Selects individual ports or a port range using the endPort config.