Adding a network policy for Cognos Analytics
Optional. If you are provisioning a Cognos Analytics instance into a tethered project, you can add a network policy for the instance.
About this task
You must be a cluster administrator to run this procedure.
Complete this procedure before you provision an instance into a tethered project.
For more information about setting up a tethered project, see Tethering projects to the IBM® Software Hub control plane.
Procedure
Create a network policy with the following format:
#!/usr/bin/env bash
#
# -----------------------------------------------------------------------------
# Licensed Materials - Property of IBM
#
# IBM Cognos Products: ca
#
# (C) Copyright IBM Corp. 2023, 2025
#
# US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule
# -----------------------------------------------------------------------------
#
#
set -e
#set -x
function usage {
echo $0: usage: $0 [-h] -n instance_namespace -N operator namespace -t comma_separated_list_tethered_namespaces
}
function help {
usage
echo "-h prints help to the console"
echo "-t tethered ns list comma separated list of tethered namespaces with cognos analytics instance (required)"
echo "-n operands ns control plane namespace (required)"
echo "-N operator ns operator namespace (required)"
echo ""
exit 0
}
while getopts ":hn:t:N:" opt; do
case ${opt} in
h)
help
;;
n)
PROJECT_CPD_INST_OPERANDS=$OPTARG
;;
N)
PROJECT_CPD_INST_OPERATORS=$OPTARG
;;
t)
PROJECT_TETHERED_LIST=$OPTARG
;;
\?)
usage
exit 0
;;
esac
done
if [ -z $PROJECT_TETHERED_LIST ]; then
echo "PROJECT_TETHERED_LIST must be defined"
exit 1
fi
if [ -z $PROJECT_CPD_INST_OPERANDS ]; then
echo "PROJECT_CPD_INST_OPERANDS must be defined"
exit 1
fi
if [ -z $PROJECT_CPD_INST_OPERATORS ]; then
echo "PROJECT_CPD_INST_OPERATORS must be defined"
exit 1
fi
echo Current list of network policies in $PROJECT_CPD_INST_OPERANDS should be greater than five
echo See https://www.ibm.com/docs/en/software-hub/5.1.x?topic=setup-optional-adding-network-policy
COUNT=`oc get networkpolicy -n $PROJECT_CPD_INST_OPERANDS 2>>/dev/null | wc | awk '{print $1}'`
if [ $COUNT -lt 6 ]; then
echo Apply Network policies to isolate an instance of IBM Software Hub first.
exit 1
fi
IFS=","
for v in $PROJECT_TETHERED_LIST
do
PROJECT_TETHERED=$v
if [ $PROJECT_TETHERED == $PROJECT_CPD_INST_OPERANDS ];then
echo NOT NECESSARY TO ADD COGNOS NETWORK POLICY TO $PROJECT_CPD_INST_OPERANDS
break
fi
cat << EOF | oc apply -n ${PROJECT_TETHERED} -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cognos-multi-port-ingress
namespace: ${PROJECT_TETHERED}
labels:
component: cognos_analytics
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
# Allow communication from ibm-nginx web client pods in control plane namespace to ports 3010 and 9300
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ${PROJECT_CPD_INST_OPERANDS}
podSelector:
matchLabels:
component: ibm-nginx
ports:
- port: 9300
protocol: TCP
- port: 3010
protocol: TCP
# Allow communication from ibm-cognos-addon-sp pod in the control plane namespace to ports 3010 and 9300
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ${PROJECT_CPD_INST_OPERANDS}
podSelector:
matchLabels:
component: ca-addon-sp
ports:
- port: 9300
protocol: TCP
- port: 3010
protocol: TCP
# Allow requests from pods in same namespace
- from:
- podSelector: {}
# Allow from DNS
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: TCP
- port: 53
protocol: UDP
# Allow from Red Hat OpenShift Container Platform Ingress Controller
- from:
- namespaceSelector:
matchLabels:
network.openshift.io/policy-group: ingress
# Allow connections from the Red Hat OpenShift Container Platform monitoring stack
- from:
- namespaceSelector:
matchLabels:
network.openshift.io/policy-group: monitoring
# Allow incoming communication from the operators project for the instance
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ${PROJECT_CPD_INST_OPERATORS}
EOF
cat << EOF | oc apply -n ${PROJECT_TETHERED} -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ${PROJECT_TETHERED}-deny-by-default
namespace: ${PROJECT_TETHERED}
labels:
component: cognos_analytics
spec:
podSelector: {}
policyTypes:
- Ingress
ingress: []
EOF
cat << EOF | oc apply -n ${PROJECT_CPD_INST_OPERANDS} -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cognos-allowed-from-${PROJECT_TETHERED}
namespace: ${PROJECT_CPD_INST_OPERANDS}
labels:
component: cognos_analytics
spec:
policyTypes:
- Ingress
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: ${PROJECT_TETHERED}
podSelector: {}
EOF
done