TIBCO Control Plane Network Policies

You can use Kubernetes network policies to control incoming and outgoing traffic from pods. Network policies provide better security by limiting traffic to and from pods. When you deploy TIBCO Control Plane, network policies are created as per parameters configured in the platform-bootstrap chart values file. By default network policies are not created.

Enabling Deployment of Network Policies

To enable deployment of network policies, update the following flags in the platform-bootstrap chart values.yaml file as per your requirement:

Parameter Description
createNetworkPolicy The createNetworkPolicy flag must always be true for any policies to be created.
createClusterScopePolicy Enables or disables the creation of cluster-scoped policies, such as cluster-egress and cluster-ingress.
createInternetScopePolicy Enables or disables the creation of internet-scoped policies, such as internet-web-egress, internet-ingress, and internet-egress.
createDeprecatedPolicies

Enables or disables the creation of deprecated policies.

If you need to change existing network policy configuration, you can upgrade the platform-bootstrap chart with the new values.

Implementing Network Policies in EKS

To use network policies on AWS, it is recommended to use the Amazon VPC CNI plug-in for Kubernetes. For more information about setting up the Amazon VPC CNI plug-in for Kubernetes, see Amazon EKS documentation.

Implementing Network Policies in AKS

Azure provides two ways to implement network policies: Azure Network Policy Manager and Calico Network Policies. You must select a Network Policy option when you create an AKS cluster. For more information, refer Azure documentation.

Supported Network Policies and Labels

The following network policies and labels are supported in TIBCO Control Plane to control the Ingress and Egress traffic:

Network Policy Name Label  Description

default

  • platform.tibco.com/dataplane-id: ""

  • networking.platform.tibco.com/non-cp-ns: ""

     

  • Outgoing traffic to pods within all namespaces of the same TIBCO Control Plane instance ID on all ports.

  • Pods with the networking.platform.tibco.com/non-cp-ns:enable label.

  • Incoming traffic from all the pods within all namespaces of the same TIBCO Control Plane instance id on all ports

  • Incoming traffic from the pods with label networking.platform.tibco.com/non-cp-ns:enable

cluster-egress

networking.platform.tibco.com/cluster-egress: enable

Apply this label to pods in TIBCO Control Plane namespace to make an outgoing call to the cluster. This includes egress to node or pod address spaces.

cluster-ingress

networking.platform.tibco.com/cluster-ingress: enable

Apply this label to pods in TIBCO Control Plane namespaces to receive the traffic from cluster CIDR (the node CIDR and pod CIDR).

internet-egress

networking.platform.tibco.com/internet-egress: enable

Apply this label to pods in TIBCO Control Plane namespace to allow the pods to connect to the Internet on all ports.

internet-web-egress

networking.platform.tibco.com/internet-web-egress: enable

Apply this label to pods in TIBCO Control Plane namespace to allow the pods to connect to the Web only (HTTP port 80, HTTPS port 443).

internet-ingress

networking.platform.tibco.com/internet-ingress: enable

Apply this label to pods to receive traffic from the Internet on all ports.

kubernetes-api

networking.platform.tibco.com/kubernetes-api: enable

Apply this label to pods in TIBCO Control Plane namespace to allow outgoing traffic and receive incoming traffic from the Kubernetes API server.

Egress traffic on TCP port 6443 and HTTPS, and Ingress on all ports is supported.

Note: For the policies related to Kubernetes API and kubedns, if your Kubernetes API server CIDR and port is different than default then declare those values in chart values.

Configuring kubeApiServer policy

This configuration controls network access to the Kubernetes API server within your cluster. If the CIDR and port values are left empty, the policy will automatically use the cluster’s default Service CIDR, Node CIDR, and Pod CIDR as the allowed source ranges. The default ports 6443 and 443 will be used for API server access. To restrict access further, you can specify custom CIDR ranges and ports as needed based on Kubernetes cluster configuration. If no values are provided, these defaults ensure secure and functional access to the Kubernetes API server out of the box.

 kubeApiServer:
   CIDR: ""
   port: ""

Configuring kube-dns policy

An additional network policy needs to be created for the pods to access the DNS server within the cluster. This policy is mandatory. If it is not created, communication between pods and services break. This policy is applied to all the pods of a Control Plane namespace. By default, the egress traffic to pod with label key k8s-app and value kube-dns on port 53 with protocol TCP and UDP is allowed.

Add the following in tp-cp-bootstrap chart values if you are using a different DNS server in the cluster.

global:
  tibco:
    createNetworkPolicy: true
      # Network policies for access kube-dns, if no values are provided, the kube-dns policy is created for a vanilla Kubernetes cluster
      kubeDns:
        egress:
        - to:
          - namespaceSelector: {}
            podSelector:
              matchLabels:
                k8s-app: kube-dns
          ports:
          - protocol: UDP
            port: 53
          - protocol: TCP
            port: 53

Deprecated Network Policies

For backward compatibility, the following old network policies are still available, but they will be removed in the future releases.

Deprecated Network Policy New Network Policy Label Description
internet-all-deprecated internet-egress

Deprecated label:

egress.networking.platform.tibco.com/internet-all: enable

New label:

networking.platform.tibco.com/internet-egress: enable

Apply this label to pods in TIBCO Control Plane namespace to allow the pods to connect to the Internet on all ports.

This excludes connecting to node or pod address space.

internet-web-deprecated internet-web-egress

Deprecated label:

egress.networking.platform.tibco.com/internet-web: enable

New label:

networking.platform.tibco.com/internet-web-egress: enable

Apply this label to pods in TIBCO Control Plane namespace to allow the pods to connect to the Web only (HTTP port 80, HTTPS port 443).
internet-access-deprecated internet-ingress

Deprecated label:

ingress.networking.platform.tibco.com/internet-access: enable

New label:

networking.platform.tibco.com/internet-ingress: enable

Apply this label to pods to receive traffic from the Internet on all ports.

This excludes ingress from node or pod address space.

cluster-access-deprecated cluster-ingress

Deprecated label:

ingress.networking.platform.tibco.com/cluster-access: enable

New label:

networking.platform.tibco.com/cluster-ingress: enable

Apply this label to pods in TIBCO Control Plane namespaces to receive the traffic from cluster CIDR (the node CIDR and pod CIDR).