Network Policies
Kubernetes network policies let you specify specify how pods are allowed to communicate with other pods, namespaces, and IP addresses.
Network Policies Example
The forgeops repository contains an example with six network policies for the
ForgeRock Identity Platform. These network policies are in the
netpolicies.yaml
file, part of a Kustomize base named security.
Customize this example to meet your security needs, or use it to help you better understand how network policies can make Kubernetes deployments more secure.
Deploy the Example
The forgeops repository’s skaffold.yaml file contains a Skaffold
profile named security that references the Kustomize security base. To
deploy the platform with the example network policies, run:
$ cd /path/to/forgeops $ skaffold run --profile security
About the Example Network Policies
All the example policies have the value Ingress in the spec.policyTypes key:
spec: policyTypes: - Ingress
Network policies with this policy type are called ingress policies, because they limit ingress traffic in a deployment.
deny-all Policy
By default, if no network policies exist in a namespace, then all ingress and egress traffic is allowed to and from pods in that namespace.
The deny-all policy modifies the default network policy for ingress. If a pod
isn’t selected by another network policy in the namespace, ingress is not
allowed.
For information about how Kubernetes controls pod ingress when pods are selected by multiple network policies in a namespace, see the Kubernetes documentation.
ds-idrepo-ldap Policy
The ds-idrepo-ldap policy limits access to ds-idrepo pods. Access can only
be requested over port 1389, 1636, or 8080, and must come from an am, idm,
or amster pod.
This part of the network policy specifies that access must be requested over port 1389, 1636, or 8080:
ingress:
- from:
. . .
ports:
- protocol: TCP
port: 1389
- protocol: TCP
port: 1636
- protocol: TCP
port: 8080
This part of the network policy specifies that access must be from an am,
idm, or amster pod:
ingress:
- from:
- podSelector:
matchExpressions:
- key: app
operator: In
values:
- am
- idm
- amster
Understanding the example network policies and how to customize them requires
some knowledge about labels defined in CDM deployments. For example,
am pods are defined with a label, app, that has the value am. You’ll
find this label in
/path/to/forgeops/kustomize/base/am/kustomization.yaml file:
commonLabels: app.kubernetes.io/name: am app.kubernetes.io/instance: am app.kubernetes.io/component: am app.kubernetes.io/part-of: forgerock tier: middle app: am
ds-cts-ldap Policy
The ds-cts-ldap policy limits access to ds-cts pods. Access can only
be requested over port 1389, 1636, or 8080, and must come from an am or
amster pod.
ds-replication Policy
ds pods in CDM deployments are labeled with tier: ds; they’re said to
reside in the ds tier of the deployment.
The ds-replication policy limits access to the pods on the ds tier. This
policy specifies that access to ds tier pods over port 8989 can only come from
other pods in the same tier.
Note that port 8989 is the default DS replication port. This network policy ensures that only DS pods can access the replication port.
backend-http-access Policy
The backend-http-access policy limits access to the pods in the middle tier,
which contains the am, idm, and ig pods. Access can only be requested over
port 8080.
front-end-http-access Policy
The front-end-http-access policy limits access to the pods in the ui tier:
the login-ui, admin-ui, and end-user-ui pods. Access can only be requested
over port 8080.
Note that users send HTTPS requests for the ForgeRock UIs to the ingress controller over port 443. The ingress controller terminates TLS, and then forwards requests to the UI pods over port 8080.