By default access is blocked to application pods running on the same cluster but in a
different namespace to Netcool®
Operations Insight®. You must create
a network policy to enable any of those application pods to be able to talk to Netcool
Operations Insight pods. An example
of this is where an application such as IBM® Telco Network
Cloud Manager is running in a
different namespace in the cluster and needs to use the same OpenLDAP installed with Netcool
Operations Insight for
authentication.
About this task
A network policy controls access not only to pods but also to namespaces and to blocks of IP
addresses. The network policy can explicitly permit or block access to these entities, which are
identified using their labels.
Procedure
-
Identify the labels on both the source and the target application associated with the grouping
of pods to which the policy applies.
In our example, you must retrieve the labels for the pods in Telco Network Cloud Manager that require access to the
Netcool
Operations Insight OpenLDAP
pod, and the label of the Netcool
Operations Insight OpenLDAP pod
itself.
To retrieve pod labels use a command similar to the
following:
kubectl get pods --show-labels
- Create a network policy, as described in the following Kubernetes documentation topic:
https://kubernetes.io/docs/concepts/services-networking/network-policies/.
The following sample code shows a network policy defined to enable an ingress controller to
access all
Netcool
Operations Insight pods.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress
labels:
origin: helm-cem
release: noi
spec:
policyTypes:
- Ingress
podSelector:
matchLabels:
release: noi
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
- podSelector:
matchLabels:
release: noi
The
podSelector
elements select the entities to which the network policy
applies.
- The first
podSelector
element defines the target entities as all pods that have
the label "label=noi
".
- The second
podSelector
element defines the source entities as all pods that
have the label "app.kubernetes.io/name=ingress-nginx
", in other words, the ingress
controllers.
- Apply the network policy by running the following
command:
kubectl apply -f name_of_network_policy
Where
name_of_network_policy
is the name of the network policy that
you created.