TIBCO Control Plane Network Policies
You can use Kubernetes network policies to control incoming and outgoing traffic from pods. Network policies provide better security by limiting traffic to and from pods. When you deploy TIBCO Control Plane, by default network policies are not created.
Enabling Deployment of Network Policies
To enable deployment of network policies, when installing the platform-bootstrap chart, set the following value:
--set global.tibco.createNetworkPolicy=true
Implementing Network Policies in EKS
To use network policies on AWS, it is recommended to use Amazon VPC CNI plugin for Kubernetes. For more information about setting up Amazon VPC CNI plugin for Kubernetes, see Amazon EKS documentation.
Default Network Policies
This section explains the default network policies that are created for TIBCO Control Plane namespace and additional policies that can be applied by applying a label to the pods or namespaces.
Outgoing Traffic (Egress)
For the pods in TIBCO Control Plane, the following destinations are allowed:
-
Outgoing traffic to pods within all namespaces of same TIBCO Control Plane instance ID on all ports.
-
Pods in a namespace with the
networking.platform.tibco.com/non-cp-ns:enablelabel. -
Outgoing traffic to
kube-dnspod in release namespace on ports 53 with TCP and UDP.
Incoming Traffic (Ingress)
For the pods in TIBCO Control Plane namespace, the following incoming traffic is allowed for pods:
-
Incoming traffic from all the pods within all namespaces of the same TIBCO Control Plane instance id on all ports
-
Incoming traffic from the pods in a namespace with label
networking.platform.tibco.com/non-cp-ns:enable
Supported Network Policies and Labels
The following network policies and labels are supported in TIBCO Control Plane to control the Ingress and Egress traffic:
| Network Policy | Label | Description |
|---|---|---|
kubernetes-api
|
networking.platform.tibco.com/kubernetes-api: enable
|
Apply this label to pods in TIBCO Control Plane namespace to allow outgoing traffic and receive incoming traffic from Kubernetes API server. Egress traffic on TCP port 6443 and HTTPS, and Ingress on all ports is supported. This does not allow authentication to Kubernetes API server. It is done by Kubernetes RBAC. This enables only network access. IP Block of node address space is required to be added to allow the traffic to kube-apiserver pod. If IP Block of Pod address space is different than Node address space. It is required to be passed in the chart values. |
internet-all
|
egress.networking.platform.tibco.com/internet-all: enable
|
Apply this label to pods in TIBCO Control Plane namespace to allow the pods to connect to the Internet on all ports. Note that this excludes connecting to node or pod address space. |
internet-web
|
egress.networking.platform.tibco.com/internet-web: enable
|
Apply this label to pods in TIBCO Control Plane namespace to allow the pods to connect to the Web only (HTTP port 80, HTTPS port 443). |
internet-access
|
ingress.networking.platform.tibco.com/internet-access: enable
|
Apply this label to pods to receive traffic from internet on all ports. Note that this excludes ingress from node or pod address space. |
cluster-access
|
ingress.networking.platform.tibco.com/cluster-access: enable
|
Apply this label to pods in TIBCO Control Plane namespaces to receive the traffic from cluster CIDR (the node CIDR and pod CIDR). |
| cluster-all | egress.networking.platform.tibco.com/cluster-all: enable
|
Apply this label to pods in TIBCO Control Plane namespace to make outgoing call to cluster. Note that this includes egress to node or pod address space. |
For the policies related to kubernetes API, Internet and Cluster CIDR above,
-
Use
--set global.external.clusterInfo.nodeCIDR=<NodeIPCIDR>Here
NodeIPCIDRis IP range of Nodes VPC or VNet address space (CIDR notation). Example: 10.180.0.0/16
-
Use
--set global.external.clusterInfo.podCIDR=<PodIPCIDR>Here
PodIPCIDRis IP range of Pod IP CIDR (CIDR notation). Example: 192.168.0.0/16 -
Use
--set global.external.clusterInfo.serviceCIDR=<ServiceCIDR>Here, ServiceCIDR is the IP range assigned for Kubernetes services within the cluster (in CIDR notation). Example: 10.196.0.0/12. The serviceCIDR is required to ensure the network policies function correctly. Without ServiceCIDR, connections to the Kubernetes API server results in I/O timeouts.
Apply the following label to namespaces outside TIBCO Control Plane, which can send traffic to TIBCO Control Plane namespace and receive traffic from TIBCO Control Plane namespace.
networking.platform.tibco.com/non-cp-ns: enable