Attention: This version of Event Streams has reached End of Support. For more information about supported versions, see the support matrix.

Network policies

Network policies are used to control inbound connections into pods. These connections can be from pods within the cluster, or from external sources.

When you install an instance of Event Streams, the required network policies will be automatically created. To review the network policies that have been applied:

  1. Log in to your Red Hat OpenShift Container Platform as a cluster administrator by using the oc CLI (oc login).
  2. Run the following command to display the installed network policies for a specific namespace:
    oc get netpol -n <namespace>
    

The following tables provide information about the network policies that are applicable to each pod within the Event Streams instance. If a particular pod is not required by a given Event Streams configuration, the associated network policy will not be applied.

Note: Where a network policy exposes a port to the Event Streams Cluster operator, it is configured to allow connections from any namespace.

Kafka pod

Type Origin Port Reason Enabled in policy
TCP REST API, REST Producer and Schema Registry pods 8091 Broker communication Always
TCP Kafka, Cluster operator, Entity operator, Kafka Cruise Control and Kafka Exporter pods 9091 Broker communication Always
TCP Anywhere (can be restricted by including networkPolicyPeers in the listener configuration) 9092 Kafka access for Plain listener If the Plain listener is enabled
TCP Anywhere (can be restricted by including networkPolicyPeers in the listener configuration) 9093 Kafka access for TLS listener If the TLS listener is enabled
TCP Anywhere (can be restricted by including networkPolicyPeers in the listener configuration) 9094 Kafka access for External listener If the External listener is enabled
TCP Anywhere 9404 Prometheus access to Kafka metrics If metrics are enabled
TCP Anywhere 9999 JMX access to Kafka metrics If JMX port is exposed

Note: If required, access to listener ports can be restricted to only those pods with specific labels by including additional configuration in the Event Streams custom resource under spec.strimziOverrides.kafka.listeners.<listener>.networkPolicyPeers.

ZooKeeper pod

Type Origin Port Reason Enabled in policy
TCP Kafka, ZooKeeper, Cluster operator, Entity operator, Kafka Cruise Control pods 2181 ZooKeeper client connections Always
TCP Other ZooKeeper pods 2888 ZooKeeper follower connection to leader Always
TCP Other ZooKeeper pods 3888 ZooKeeper leader election Always
TCP Anywhere 9404 Exported Prometheus metrics If metrics are enabled

Geo-replicator pod

Type Origin Port Reason Enabled in policy
TCP REST API pods 8083 Geo-replicator API traffic Always
TCP Cluster operator and other geo-replicator pods 8083 Geo-replicator cluster traffic Always
TCP Anywhere 9404 Exported Prometheus metrics If metrics are enabled

Schema registry pod

Type Origin Port Reason Enabled in policy
TCP Anywhere 9443 External access to API Always
TCP Any pod in Event Streams instance 7443 TLS cluster traffic If internal TLS is enabled
TCP Any pod in Event Streams instance 7080 Non-TLS cluster traffic If internal TLS is disabled

Administration UI pod

Type Origin Port Reason Enabled in policy
TCP Anywhere 3000 External access to UI Always

Administration server pod

Type Origin Port Reason Enabled in policy
TCP Anywhere 9443 External access to API Always
TCP Any pod in Event Streams instance 7443 TLS cluster traffic If internal TLS is enabled
TCP Any pod in Event Streams instance 7080 Non-TLS cluster traffic If internal TLS is disabled

REST producer server pod

Type Origin Port Reason Enabled in policy
TCP Anywhere 9443 External access to API Always
TCP Any pod in Event Streams instance 7443 TLS cluster traffic If internal TLS is enabled
TCP Any pod in Event Streams instance 7080 Non-TLS cluster traffic If internal TLS is disabled

Metrics collector pod

Type Origin Port Reason Enabled in policy
TCP Anywhere 7888 Exported Prometheus metrics Always
TCP Any pod in Event Streams instance 7443 TLS inbound metrics traffic If internal TLS is enabled
TCP Any pod in Event Streams instance 7080 Non-TLS inbound metrics traffic If internal TLS is disabled

Cluster operator pod

Type Origin Port Reason Enabled in policy
TCP Anywhere 8080 Exported Prometheus metrics Always
TCP Anywhere 8081 EventStreams custom resource validator Always

Cruise Control pod

Type Origin Port Reason Enabled in policy
TCP Cluster operator 9090 Access to API Always

Kafka Connect pod

Type Origin Port Reason Enabled in policy
TCP Cluster operator and Kafka Connect pods 8083 Access to Kafka Connect REST API Always
TCP Anywhere 9404 Exported Prometheus metrics If metrics are enabled