Inbound network connections (ingress)
Network policies are used to control inbound connections into pods. These connections can be from pods within the cluster, or from external sources.
When you install an instance of the Event Manager, the required network policies will be automatically created unless they are disabled through configuration options. To review the network policies that have been applied:
- Log in to your Kubernetes cluster as a cluster administrator by setting your
kubectl
context. -
Run the following command to display the installed network policies for a specific namespace:\
kubectl get netpol -n <namespace>
The following tables provide information about the network policies that are applicable to each pod within the Event Manager instance. Information about how to stop deployment of the network policies are included in the notes after each table.
Note: Not all networking solutions support network policies. Creating NetworkPolicy
resources on clusters with solutions that do not support policies has no effect on restricting traffic.
Event Endpoint Management operator pod
Type | Origin | Port | Reason | Enabled in policy |
---|---|---|---|---|
TCP | Anywhere | 8443 | Operator validating webhook | Always |
Note: By default a network policy is created that restricts traffic to port 8443, but does not restrict where that traffic originates from. For increased security, you can disable this auto-generated network policy and create a more secure network policy that restricts ingress traffic to the operator pod’s port to be only from the Kubernetes API server.
To delete the network policy of the Event Endpoint Management operator:
-
On Kubernetes platforms other than OpenShift: install the Helm chart by specifying
--set deployOperatorNetworkPolicy=false
. -
On OpenShift Container Platform: modify the subscription that was used to install the operator and set the
DEPLOY_OPERATOR_NETWORK_POLICY
environment variable tofalse
. Do this after the initial installation of the operator.By using the OpenShift console:
- Log in to the OpenShift Container Platform web console using your login credentials.
- Expand
Home
in the navigation menu and clickSearch
. - From the
Project
list, select the namespace where you installed the operator. - From the
Resources
list, selectSubscription
. - From the results, select your Event Endpoint Management subscription by clicking its name.
- Click the
YAML
tab. -
Scroll to the
spec
section of YAML file, and add theDEPLOY_OPERATOR_NETWORK_POLICY
environment variable as follows:spec: config: env: - name: DEPLOY_OPERATOR_NETWORK_POLICY value: 'false'
- Click
Save
.
By using the command line:
- Find the name of your subscription by running the following command. Replace
<OPERATOR_NAMESPACE>
with the namespace where you installed the operator.kubectl get subscription -n <OPERATOR_NAMESPACE>
-
Edit your subscription by using the
kubectl edit subscription <SUBSCRIPTION_NAME> -n <OPERATOR_NAMESPACE>
command, and update thespec
section to include theDEPLOY_OPERATOR_NETWORK_POLICY
environment variable.apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: eem namespace: my-eem-ns spec: channel: v11.3 installPlanApproval: Automatic name: ibm-eventendpointmanagement source: eem-operator-catalog sourceNamespace: openshift-marketplace config: env: - name: DEPLOY_OPERATOR_NETWORK_POLICY value: 'false'
Note: On OpenShift Container Platform, if the cluster uses OpenShift software-defined networking (SDN) in its default network isolation mode, or OVN-Kubernetes as the Cluster Network Interface (CNI) plugin, you can create a more secure network policy that restricts ingress communication to the host-network pods by using a namespace matchLabel
set to policy-group.network.openshift.io/host-network: ''
The following is an example network policy that provides this increased security:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-apiserver-eem-webhook
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: ibm-eem-operator
app.kubernetes.io/name: ibm-event-endpoint-management
policyTypes:
ingress:
- ports:
- protocol: TCP
port: 8443
from:
- namespaceSelector:
matchLabels:
policy-group.network.openshift.io/host-network: ''
policyTypes:
- Ingress
If you are using a different CNI plugin that supports network policies, it might be possible to create a network policy that permits traffic from the Kubernetes API server by allowing access to one or more Classless Inter-Domain Routing (CIDR) blocks. For example, if you are using Calico, you can specify CIDR blocks for the IPv4 addresses of the master nodes (ipv4IPIPTunnelAddr
). You can view CIDR blocks by running and inspecting the output from kubectl cluster-info dump
.
The following is an example network policy that allows access to a CIDR block:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-apiserver-eem-webhook
spec:
ingress:
- from:
- ipBlock:
cidr: 192.168.78.128/32
ports:
- port: 8443
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/instance: ibm-eem-operator
app.kubernetes.io/name: ibm-event-endpoint-management
policyTypes:
- Ingress
Note: On clusters where network policies are not supported, use an alternative configuration specific to your CNI plugin.
Event Manager pod
Type | Origin | Port | Reason | Enabled in policy |
---|---|---|---|---|
TCP | Anywhere | 3000 | External access to UI | Always |
TCP | Anywhere | 8081 | Readiness probe | Always |
Note: To stop the automatic deployment of the instance’s network policy, set the spec.deployNetworkPolicies
option for the instance to false
.
Event Gateway pod
Type | Origin | Port | Reason | Enabled in policy |
---|---|---|---|---|
TCP | Anywhere | 8092 | Kafka client communication | Always |
Note: To stop the automatic deployment of the instance’s network policy, set the spec.deployNetworkPolicies
option for the instance to false
.
Considerations for ingress
Consider the use of a deny-all-ingress network policy to limit communication with all pods in a namespace to only those communications specifically allowed in network policies. A deny-all network policy is not created by default as it would interfere with other applications installed in the namespace that do not have the required network policies set to allow inbound communications.
To create a deny-all-ingress network policy, apply the following YAML to your cluster in the namespaces where you installed Event Endpoint Management.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
Outbound network connections (egress)
The following tables provide information about the outbound network connections (egress) initiated by pods in an Event Endpoint Management installation.
Note: Egress policies are not added by default. You must configure the egress policies based on your requirements.
Event Endpoint Management operator pod
Type | Destination | Pod Label | Port | Reason |
---|---|---|---|---|
TCP | Event Manager instance | eem.ei.ibm.com/component= |
8081 | Readiness check |
Event Manager pod
Type | Destination | Pod Label | Port | Reason |
---|---|---|---|---|
TCP | Licensing Service | User Supplied | Licensing metrics in usage-based licensing mode |
Event Gateway pod
Type | Destination | Pod Label | Port | Reason |
---|---|---|---|---|
TCP | Event Endpoint Management | eem.ei.ibm.com/component= |
3000 | Registering with Event Endpoint Management |
TCP | Kafka | User Supplied | Configuring gateway for Kafka |