Inbound network connections (ingress)
Network policies are used to control inbound connections into pods. These connections can be from pods within the cluster, or from external sources.
When you install an instance of Event Endpoint Management, the required network policies will be automatically created unless they are disabled through configuration options. To review the network policies that have been applied:
- Log in to your Kubernetes cluster as a cluster administrator by setting your
kubectlcontext. -
Run the following command to display the installed network policies for a specific namespace:\
kubectl get netpol -n <namespace>
The following tables provide information about the network policies that are applicable to each pod within the Event Endpoint Management instance. For information about how to stop deployment of the network policies, see the note after each table.
Event Endpoint Management operator pod
| Type | Origin | Port | Reason | Enabled in policy |
|---|---|---|---|---|
| TCP | Anywhere | 8443 | Operator validating webhook | Always |
Note: To delete the network policy of the Event Endpoint Management operator:
- On the OpenShift Container Platform: modify the subscription that was used to install the operator and set the
DEPLOY_OPERATOR_NETWORK_POLICYenvironment variable tofalse. Do this after the initial installation of the operator. - On other Kubernetes platforms: install the Helm chart by specifying
--set deployOperatorNetworkPolicy=false.
Event Endpoint Management pod
| Type | Origin | Port | Reason | Enabled in policy |
|---|---|---|---|---|
| TCP | Anywhere | 3000 | External access to UI | Always |
| TCP | Anywhere | 8081 | Readiness probe | Always |
Note: To stop the automatic deployment of the instance’s network policy, set the spec.deployNetworkPolicies option for the instance to false.
Event Gateway pod
| Type | Origin | Port | Reason | Enabled in policy |
|---|---|---|---|---|
| TCP | Anywhere | 8092 | Kafka client communication | Always |
Note: To stop the automatic deployment of the instance’s network policy, set the spec.deployNetworkPolicies option for the instance to false.
Considerations for ingress
Consider the use of a deny-all-ingress network policy to limit communication with all pods in a namespace to only those communications specifically allowed in network policies. A deny-all network policy is not created by default as it would interfere with other applications installed in the namespace that do not have the required network policies set to allow inbound communications.
To create a deny-all-ingress network policy, apply the following YAML to your cluster in the namespaces where you installed Event Endpoint Management.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
Outbound network connections (egress)
The following tables provide information about the outbound network connections (egress) initiated by pods in an Event Endpoint Management installation.
Note: Egress policies are not added by default. You must configure the egress policies based on your requirements.
Event Endpoint Management operator pod
| Type | Destination | Pod Label | Port | Reason |
|---|---|---|---|---|
| TCP | Event Endpoint Management instance | eem.ei.ibm.com/component= |
8081 | Readiness check |
Event Endpoint Management pod
| Type | Destination | Pod Label | Port | Reason |
|---|---|---|---|---|
| TCP | Licensing Service | User Supplied | Licensing metrics in usage-based licensing mode |
Event Gateway pod
| Type | Destination | Pod Label | Port | Reason |
|---|---|---|---|---|
| TCP | Event Endpoint Management | eem.ei.ibm.com/component= |
3000 | Registering with Event Endpoint Management |
| TCP | Kafka | User Supplied | Configuring gateway for Kafka |