Network policies

Inbound network connections (ingress)

Network policies are used to control inbound connections into pods. These connections can be from pods within the cluster, or from external sources.

When you install an instance of Event Processing, the required network policies for Event Processing pods are automatically created unless they are disabled through a configuration option. To review the network policies that have been applied:

  1. Log in to your Kubernetes cluster as a cluster administrator by setting your kubectl context.
  2. Run the following command to display the installed network policies for a specific namespace:

    kubectl get netpol -n <namespace>
    

For the operator and operand pods of IBM Operator for Apache Flink, network policies are not deployed automatically, but can be deployed as described in Flink network policies.

The following tables provide information about the network connections of Event Processing and Flink pods.

Event Processing operator pod

Type Origin Port Reason Enabled in policy
TCP Anywhere 8443 Operator validating webhook Always

Note: To delete the network policy of the Event Processing operator:

  • On the OpenShift Container Platform: Modify the subscription that was used to install the operator and set the DEPLOY_OPERATOR_NETWORK_POLICY environment variable to false. Do this after the initial installation of the operator.
  • On other Kubernetes platforms: Install the Helm chart by specifying --set deployOperatorNetworkPolicy=false.
Type Origin Port Reason
TCP Anywhere 9443 Operator validating webhook

Note: The network policies for Flink pods are not deployed automatically. They can be manually deployed.

Event Processing pod

Type Origin Port Reason Enabled in policy
TCP Anywhere 8443 External access to UI Always
TCP Any pod in Event Processing instance 7000 Kafka administration Always
TCP Any pod in Event Processing instance 3000 UI frontend Always
TCP Any pod in Event Processing instance 8888 UI backend Always

Note: To disable the automatic deployment of the instance’s network policy, set the spec.deployNetworkPolicies option for the instance to false.

Type Origin Port Reason
TCP Anywhere 8081 REST API inside the Kubernetes cluster
TCP Flink pods 6123 RPC inside the Flink cluster
TCP Flink pods 6124 Blob server inside the Flink cluster

Note: The network policies for Flink pods are not deployed automatically. They can be manually deployed.

Considerations for ingress

Consider the use of a deny-all-ingress network policy to limit communication with all pods in a namespace to only those communications specifically allowed in network policies. A deny-all network policy is not created by default as it would interfere with other applications installed in the namespace that do not have the required network policies set to allow inbound communications.

To create a deny-all-ingress network policy you can simply apply the following yaml to your cluster in the relevant namespace(s).

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress

Note: When deploying the deny-all-ingress network policy, ensure the network policies for Flink and Event Processing are deployed. The network policies for Event Processing pods are automatically deployed by default. The network policies for Flink are not automatically deployed and can be deployed as described in Flink network policies.

Outbound network connections (egress)

The following tables provide information about the outbound network connections (egress) initiated by pods in an Event Processing installation.

Note: Egress policies are not added by default. You must configure the egress policies based on your requirements.

Event Processing pod

Type Destination Port Reason
TCP Flink User Supplied Submission of Flink jobs
TCP Kafka User Supplied Display topics and define connection details
Type Destination Port Reason
TCP Flink pods 6123 RPC inside the Flink cluster
TCP Flink pods 6124 Blob server inside the Flink cluster

Network policies are not deployed automatically when installing IBM Operator for Apache Flink. For increased security, you can deploy the deny-all-ingress policy as shown in Considerations for ingress. In this case, network policies for Flink pods need to be deployed following these steps:

  1. Log in to your Kubernetes cluster as a cluster administrator by setting your kubectl context.
  2. Add the following network policy to the namespace where the IBM Operator for Apache Flink is installed.
   kind: NetworkPolicy
   apiVersion: networking.k8s.io/v1
   metadata:
     name: ibm-eventautomation-flink-operator
   spec:
     podSelector:
       matchLabels:
         app.kubernetes.io/instance: ibm-eventautomation-flink-operator
         app.kubernetes.io/name: flink-kubernetes-operator
         name: ibm-eventautomation-flink-operator
     ingress:
       - ports:
           - protocol: TCP
             port: 9443
           - protocol: TCP
             port: 443
     policyTypes:
       - Ingress
  1. Set the following environment variable to store the namespace of your Flink instance. If you are deploying the network policies before installing your Flink instance, ensure the namespace is already created.

    export FLINK_NAMESPACE=<your-namespace>
    
  2. Run the following command to deploy the network policies for Flink:

    kubectl apply -n ${FLINK_NAMESPACE} -f - << EOF
    kind: NetworkPolicy
    apiVersion: networking.k8s.io/v1
    metadata:
      name: ibm-eventautomation-flink-jobmanager
    spec:
      podSelector:
        matchLabels:
          app.kubernetes.io/instance: ibm-eventautomation-flink
          app.kubernetes.io/managed-by: ibm-eventautomation-flink-operator
          app.kubernetes.io/name: ibm-eventautomation-flink
          component: jobmanager
      ingress:
        - from:
      # Uncomment if the IBM Operator for Apache Flink is in another namespace
      #           - namespaceSelector:
      #               matchLabels:
      #                 kubernetes.io/metadata.name: 
            - podSelector:
                matchLabels:
                  app.kubernetes.io/instance: ibm-eventautomation-flink
                  app.kubernetes.io/managed-by: ibm-eventautomation-flink-operator
                  app.kubernetes.io/name: ibm-eventautomation-flink
                  component: jobmanager
            - podSelector:
                matchLabels:
                  app.kubernetes.io/instance: ibm-eventautomation-flink
                  app.kubernetes.io/managed-by: ibm-eventautomation-flink-operator
                  app.kubernetes.io/name: ibm-eventautomation-flink
                  component: taskmanager
            - podSelector:
                matchLabels:
                  app.kubernetes.io/instance: ibm-eventautomation-flink-operator
                  app.kubernetes.io/name: flink-kubernetes-operator
                  name: ibm-eventautomation-flink-operator
          ports:
            - protocol: TCP
              port: 8081
      policyTypes:
        - Ingress
    ---
    kind: NetworkPolicy
    apiVersion: networking.k8s.io/v1
    metadata:
      name: ibm-eventautomation-flink-jobmanager-rpc-blob
    spec:
      podSelector:
        matchLabels:
          app.kubernetes.io/instance: ibm-eventautomation-flink
          app.kubernetes.io/managed-by: ibm-eventautomation-flink-operator
          app.kubernetes.io/name: ibm-eventautomation-flink
      ingress:
        - from:
            - podSelector:
                matchLabels:
                  app.kubernetes.io/instance: ibm-eventautomation-flink
                  app.kubernetes.io/managed-by: ibm-eventautomation-flink-operator
                  app.kubernetes.io/name: ibm-eventautomation-flink
          ports:
            - protocol: TCP
              port: 6123
            - protocol: TCP
              port: 6124
      policyTypes:
        - Ingress
    ---
    kind: NetworkPolicy
    apiVersion: networking.k8s.io/v1
    metadata:
      name: ibm-eventautomation-flink-jobmanager-stream-authoring
    spec:
      podSelector:
        matchLabels:
          app.kubernetes.io/instance: ibm-eventautomation-flink
          app.kubernetes.io/managed-by: ibm-eventautomation-flink-operator
          app.kubernetes.io/name: ibm-eventautomation-flink
          component: jobmanager
      ingress:
        - from:
            - podSelector:
                matchLabels:
                  app.kubernetes.io/component: ibm-ep
                  app.kubernetes.io/managed-by: ibm-ep-operator
          ports:
            - protocol: TCP
              port: 8081
      policyTypes:
        - Ingress
    ---
    kind: NetworkPolicy
    apiVersion: networking.k8s.io/v1
    metadata:
      name: ibm-eventautomation-flink-taskmanager
    spec:
      podSelector:
        matchLabels:
          app.kubernetes.io/instance: ibm-eventautomation-flink
          app.kubernetes.io/managed-by: ibm-eventautomation-flink-operator
          app.kubernetes.io/name: ibm-eventautomation-flink
          component: taskmanager
      ingress:
        - from:
            - podSelector:
                matchLabels:
                  app.kubernetes.io/instance: ibm-eventautomation-flink
                  app.kubernetes.io/managed-by: ibm-eventautomation-flink-operator
                  app.kubernetes.io/name: ibm-eventautomation-flink
          ports:
            - protocol: TCP
              port: 8081
      policyTypes:
        - Ingress
    EOF
    

    Note: The ports that are used in the previous YAML are the default ones. If you customize Flink ports in the FlinkDeployment custom resource, ensure the ports used in the network policies match the custom ports.

If you configure Flink to export the Flink Metrics, the port configured for emitting metrics needs to be opened by following these steps:

  1. Log in to your Kubernetes cluster as a cluster administrator by setting your kubectl context.
  2. Set the following environment variable to hold the namespace of the Flink instance. If deploying the network policies before installing the Flink instance, ensure the namespace is already created.

     export FLINK_NAMESPACE=<your-namespace>
    
  3. Set the following environment variable to hold the port you configured for emitting metrics.

    export METRICS_PORT_NUMBER=<your-port>
    
  4. Run the following command to deploy the network policy for metrics exporter:

    kubectl apply -n ${FLINK_NAMESPACE} -f - << EOF
    kind: NetworkPolicy
    apiVersion: networking.k8s.io/v1
    metadata:
      name: ibm-eventautomation-flink-jobmanager-monitoring
    spec:
      podSelector:
        matchLabels:
          app.kubernetes.io/instance: ibm-eventautomation-flink
          app.kubernetes.io/managed-by: ibm-eventautomation-flink-operator
          app.kubernetes.io/name: ibm-eventautomation-flink
          component: jobmanager
      ingress:
        - ports:
            - protocol: TCP
              port: ${METRICS_PORT_NUMBER}
      policyTypes:
        - Ingress
    EOF