By default access is blocked to application pods that run on the same cluster but in a
different namespace to Netcool®
Operations Insight®. You must create
a network policy to enable any of those application pods to be able to talk to Netcool
Operations Insight pods. An example
of this access is where an application such as IBM® Telco Network
Cloud Manager is running in a
different namespace in the cluster and needs to use the same OpenLDAP installed with Netcool
Operations Insight for
authentication.
About this task
A network policy controls access, not only to pods but also to namespaces and to blocks of IP
addresses. The network policy can explicitly allow or block access to these entities, which are
identified by using their labels.
Procedure
-
Identify the labels on both the source and the target application that is associated with the
grouping of pods to which the policy applies.
In the example, you must retrieve the labels for the pods in Telco Network Cloud Manager that require access to the
Netcool
Operations Insight OpenLDAP
pod, and the label of the Netcool
Operations Insight OpenLDAP pod
itself.
To retrieve pod labels, use a command similar to the following
command:
kubectl get pods --show-labels
- Create a network policy, as described in the following Kubernetes documentation topic:
https://kubernetes.io/docs/concepts/services-networking/network-policies/.
The following sample code shows a network policy that is defined to enable an ingress controller
to access all
Netcool
Operations Insight pods.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress
labels:
origin: helm-cem
release: noi
spec:
policyTypes:
- Ingress
podSelector:
matchLabels:
release: noi
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
- podSelector:
matchLabels:
release: noi
The
podSelector
elements select the entities to which the network policy
applies.
- The first
podSelector
element defines the target entities as all pods that have
the label "label=noi
".
- The second
podSelector
element defines the source entities as all pods that
have the label "app.kubernetes.io/name=ingress-nginx
", in other words, the ingress
controllers.
- Apply the network policy by running the following command:
kubectl apply -f name_of_network_policy
Where name_of_network_policy
is the name of the
network policy that you created.