Controlling cluster traffic with network policies

By default access is blocked to application pods running on the same cluster but in a different namespace to Netcool® Operations Insight®. You must create a network policy to enable any of those application pods to be able to talk to Netcool Operations Insight pods. An example of this is where an application such as IBM® Telco Network Cloud Manager is running in a different namespace in the cluster and needs to use the same OpenLDAP installed with Netcool Operations Insight for authentication.

About this task

A network policy controls access not only to pods but also to namespaces and to blocks of IP addresses. The network policy can explicitly permit or block access to these entities, which are identified using their labels.

Procedure

  1. Identify the labels on both the source and the target application associated with the grouping of pods to which the policy applies.

    In our example, you must retrieve the labels for the pods in Telco Network Cloud Manager that require access to the Netcool Operations Insight OpenLDAP pod, and the label of the Netcool Operations Insight OpenLDAP pod itself.

    To retrieve pod labels use a command similar to the following:
    kubectl get pods --show-labels
  2. Create a network policy, as described in the following Kubernetes documentation topic: https://kubernetes.io/docs/concepts/services-networking/network-policies/.
    The following sample code shows a network policy defined to enable an ingress controller to access all Netcool Operations Insight pods.
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: allow-ingress
      labels:
        origin: helm-cem
        release: noi
    spec:
      policyTypes:
      - Ingress
      podSelector:
        matchLabels:
          release: noi
      ingress:
      - from:
        - namespaceSelector: {}
          podSelector:
            matchLabels:
              app.kubernetes.io/name: ingress-nginx
        - podSelector:
            matchLabels:
              release: noi
    The podSelector elements select the entities to which the network policy applies.
    • The first podSelector element defines the target entities as all pods that have the label "label=noi".
    • The second podSelector element defines the source entities as all pods that have the label "app.kubernetes.io/name=ingress-nginx", in other words, the ingress controllers.
  3. Apply the network policy by running the following command:
    kubectl apply -f name_of_network_policy
    Where name_of_network_policy is the name of the network policy that you created.