TIBCO Control Plane Network Policies
You can use Kubernetes network policies to control incoming and outgoing traffic from pods. Network policies provide better security by limiting traffic to and from pods. When you deploy TIBCO Control Plane, network policies are created as per parameters configured in the platform-bootstrap
chart values file. By default network policies are not created.
Enabling Deployment of Network Policies
To enable deployment of network policies, update the following flags in the platform-bootstrap
chart values.yaml
file as per your requirement:
Parameter | Description |
---|---|
createNetworkPolicy
|
The createNetworkPolicy flag must always be true for any policies to be created. |
createClusterScopePolicy
|
Enables or disables the creation of cluster-scoped policies, such as cluster-egress and cluster-ingress . |
createInternetScopePolicy
|
Enables or disables the creation of internet-scoped policies, such as internet-web-egress , internet-ingress , and internet-egress .
|
createDeprecatedPolicies
|
Enables or disables the creation of deprecated policies. |
If you need to change existing network policy configuration, you can upgrade the platform-bootstrap
chart with the new values.
Implementing Network Policies in EKS
To use network policies on AWS, it is recommended to use the Amazon VPC CNI plug-in for Kubernetes. For more information about setting up the Amazon VPC CNI plug-in for Kubernetes, see Amazon EKS documentation.
Implementing Network Policies in AKS
Azure provides two ways to implement network policies: Azure Network Policy Manager and Calico Network Policies. You must select a Network Policy option when you create an AKS cluster. For more information, refer Azure documentation.
Supported Network Policies and Labels
The following network policies and labels are supported in TIBCO Control Plane to control the Ingress and Egress traffic:
Network Policy Name | Label | Description |
---|---|---|
|
|
|
|
|
Apply this label to pods in TIBCO Control Plane namespace to make an outgoing call to the cluster. This includes egress to node or pod address spaces. |
|
|
Apply this label to pods in TIBCO Control Plane namespaces to receive the traffic from cluster CIDR (the node CIDR and pod CIDR). |
|
|
Apply this label to pods in TIBCO Control Plane namespace to allow the pods to connect to the Internet on all ports. |
|
|
Apply this label to pods in TIBCO Control Plane namespace to allow the pods to connect to the Web only (HTTP port 80, HTTPS port 443). |
|
|
Apply this label to pods to receive traffic from the Internet on all ports. |
|
|
Apply this label to pods in TIBCO Control Plane namespace to allow outgoing traffic and receive incoming traffic from the Kubernetes API server. Egress traffic on TCP port 6443 and HTTPS, and Ingress on all ports is supported. |
Configuring kubeApiServer policy
This configuration controls network access to the Kubernetes API server within your cluster. If the CIDR and port values are left empty, the policy will automatically use the cluster’s default Service CIDR, Node CIDR, and Pod CIDR as the allowed source ranges. The default ports 6443 and 443 will be used for API server access. To restrict access further, you can specify custom CIDR ranges and ports as needed based on Kubernetes cluster configuration. If no values are provided, these defaults ensure secure and functional access to the Kubernetes API server out of the box.
kubeApiServer: CIDR: "" port: ""
Configuring kube-dns policy
An additional network policy needs to be created for the pods to access the DNS server within the cluster. This policy is mandatory. If it is not created, communication between pods and services break. This policy is applied to all the pods of a Control Plane namespace. By default, the egress traffic to pod with label key k8s-app
and value kube-dns
on port 53 with protocol TCP and UDP is allowed.
Add the following in tp-cp-bootstrap
chart values if you are using a different DNS server in the cluster.
global: tibco: createNetworkPolicy: true # Network policies for access kube-dns, if no values are provided, the kube-dns policy is created for a vanilla Kubernetes cluster kubeDns: egress: - to: - namespaceSelector: {} podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: UDP port: 53 - protocol: TCP port: 53
Deprecated Network Policies
For backward compatibility, the following old network policies are still available, but they will be removed in the future releases.
Deprecated Network Policy | New Network Policy | Label | Description |
---|---|---|---|
internet-all-deprecated
|
internet-egress |
Deprecated label:
New label:
|
Apply this label to pods in TIBCO Control Plane namespace to allow the pods to connect to the Internet on all ports. This excludes connecting to node or pod address space. |
internet-web-deprecated
|
internet-web-egress |
Deprecated label:
New label:
|
Apply this label to pods in TIBCO Control Plane namespace to allow the pods to connect to the Web only (HTTP port 80, HTTPS port 443). |
internet-access-deprecated
|
internet-ingress |
Deprecated label:
New label:
|
Apply this label to pods to receive traffic from the Internet on all ports. This excludes ingress from node or pod address space. |
cluster-access-deprecated
|
cluster-ingress |
Deprecated label:
New label:
|
Apply this label to pods in TIBCO Control Plane namespaces to receive the traffic from cluster CIDR (the node CIDR and pod CIDR). |