Data Plane Network Policies
You can use Kubernetes network policies to control incoming and outgoing traffic from pods. Network policies provide better security by limiting traffic to and from pods. To create network policies defined by TIBCO Control Plane, they can be enabled by setting flags as described in the following section.
Enabling Deployment of Network Policies
To enable deployment of network policies, perform the following steps. Network policies must be created in all data plane namespaces, including primary and application namespaces.
- Procedure
- Configure the
dp-configure-namespacechartvalues.yamlfile with the flags for network policies. For more information, see the table below Network Policies Configuration in chart values. - Perform one of the following steps:
- For new data planes: When you register a data plane from the UI, the network policies are created as per flags configured in the
dp-configure-namespacechartvalues.yamlfile. - For existing data planes: If you need to change existing network policy configuration, you can upgrade the
dp-configure-namespacechart with the new values.
- For new data planes: When you register a data plane from the UI, the network policies are created as per flags configured in the
After you install or upgrade the dp-configure-namespace chart, the default network policies defined in the dp-configure-namespace chart get created.
Network Policies Configuration in Chart Values
You must install or upgrade the dp-configure-namespace chart by using the required values.yaml file with the following parameters.
| Parameter | Description |
|---|---|
networkPolicy.create
|
The networkPolicy.create flag must always be true for any policies to be created. |
createClusterScopePolicy
|
Enables or disables the creation of cluster-scoped policies, such as cluster-egress and cluster-ingress. |
createInternetScopePolicy
|
Enables or disables the creation of internet-scoped policies, such as internet-web-egress, internet-ingress, and internet- egress. |
createDeprecatedPolicies
|
Enables or disables the creation of deprecated policies. |
createInternetScopePolicies is disabled in a data plane, Flogo provisioner will not be able to create the application builds as it needs the internet access to download the application dependencies. As an alternative, you can create a Flogo application build outside TIBCO Platform using flogo-maven-plugin and then import the app build in your data plane. For more information, see Flogo App Builds.createInternetScopePolicies must be enabled in a data plane if you are using TIBCO Developer Hub capability.Implementing Network Policies in EKS
To use network policies on AWS, it is recommended to use the Amazon VPC CNI plug-in for Kubernetes. For more information on setting up the Amazon VPC CNI plug-in, refer Amazon EKS documentation.
Implementing Network Policies in AKS
Azure provides two ways to implement network policies: Azure Network Policy Manager and Calico Network Policies. You must select a Network Policy option when you create an AKS cluster. For more information, refer Azure documentation.
Supported Network Policies and Labels
The following network policies and labels are supported in the data plane to control the Ingress and Egress traffic:
| Network Policy Name | Label | Description |
|---|---|---|
|
|
|
|
|
|
|
Apply this label to pods in TIBCO Control Plane namespaces to receive the traffic from cluster CIDR (the node CIDR and pod CIDR). |
|
|
|
Apply this label to the pods in the TIBCO Control Plane namespace to enable outgoing calls to the cluster, which includes egress to both node and pod address spaces. |
|
|
|
Apply this label to pods in data plane namespaces to allow the pods to connect to the Internet on all ports. |
|
|
|
Apply this label to pods in data plane namespaces to allow the pods to connect to the Web only (HTTP port 80, HTTPS port 443). |
|
|
|
Apply this label to pods to receive traffic from the internet on all ports. |
|
|
|
Apply this label to pods in data plane namespaces to allow outgoing traffic and receive incoming traffic from the Kubernetes API server. Egress traffic on TCP port 443 and 6443, and Ingress on all ports is supported. This does not allow authentication to the Kubernetes API server. It is done by Kubernetes RBAC. This enables only network access. |
Configuring kubeApiServer policy
This configuration controls network access to the Kubernetes API server within your cluster. If the CIDR and port values are left empty, the policy will automatically use the cluster’s default Service CIDR, Node CIDR, and Pod CIDR as the allowed source ranges. The default ports 6443 and 443 will be used for API server access. To restrict access further, you can specify custom CIDR ranges and ports as needed based on Kubernetes cluster configuration. If no values are provided, these defaults ensure secure and functional access to the Kubernetes API server out of the box.
kubeApiServer: CIDR: "" port: ""
Configuring kube-dns policy
An additional network policy needs to be created for the pods to access the DNS server within the cluster. This policy is mandatory. If it is not created, communication between pods and services break. This policy is applied to all the pods of a data plane namespace. By default, the egress traffic to pod with label key k8s-app and value kube-dns on port 53 with protocol TCP and UDP is allowed.
You must configure the following parameter in dp-configure-namespace chart values if you are using a different DNS server in the cluster.
networkPolicy:
create: true
# Network policies to access kube-dns, if no values are provided, the kube-dns policy is created for a vanilla Kubernetes cluster
kubeDns:
egress:
- to:
- namespaceSelector: {}
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
Deprecated Network Policies
For backward compatibility, the following old network policies are still available, but they will be removed in the future releases. By default deprecated network policies will not get created for data planes registered in version 1.7.0.
| Deprecated Network Policy | New Network Policy | Label | Description |
|---|---|---|---|
internet-all-deprecated
|
internet-egress | |
Apply this label to pods in data plane namespaces to allow the pods to connect to the Internet on all ports. This excludes connecting to node or pod address space. |
internet-web-deprecated
|
internet-web-egress | |
Apply this label to pods in data plane namespaces to allow the pods to connect to the Web only (HTTP port 80, HTTPS port 443). |
internet-access-deprecated
|
internet-ingress | |
Apply this label to pods to receive traffic from the Internet on all ports. This excludes ingress from node or pod address space. |
cluster-access-deprecated
|
cluster-ingress | |
Apply this label to pods in data plane namespaces to receive the traffic from cluster CIDR (the node CIDR and pod CIDR). |