--- title: Network policies description: Kubernetes network policies let you specify specify how pods are allowed to communicate with other pods, namespaces, and IP addresses. component: forgeops version: 2026.1 page_id: forgeops:prepare:security/network-policies canonical_url: https://docs.pingidentity.com/forgeops/2026.1/prepare/security/network-policies.html keywords: ["Security", "Kubernetes", "Network"] section_ids: deny_all_policy: deny-all policy ds_idrepo_ldap_policy: ds-idrepo-ldap policy ds_cts_ldap_policy: ds-cts-ldap policy ds_replication_policy: ds-replication policy backend_http_access_policy: backend-http-access policy front_end_http_access_policy: front-end-http-access policy --- # Network policies Kubernetes [network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies) let you specify specify how pods are allowed to communicate with other pods, namespaces, and IP addresses. The `forgeops` repository contains two sets of example network policies for the Ping Identity Platform: 1. [Network policies for DS](https://github.com/ForgeRock/forgeops/blob/2026.1.0/kustomize/base/security/ds-netpolicy.yaml). 2. [Network policies for AM and IDM](https://github.com/ForgeRock/forgeops/blob/2026.1.0/kustomize/base/security/app-netpolicy.yaml). Customize the example policies to meet your security needs, or use them to help you better understand how network policies can make Kubernetes deployments more secure. All the example policies have the value `Ingress` in the `spec.policyTypes` key: ``` spec: policyTypes: - Ingress ``` Network policies with this policy type are called *ingress policies*, because they limit ingress traffic in a deployment. ## `deny-all` policy By default, if no network policies exist in a namespace, then all ingress and egress traffic is allowed to and from pods in that namespace. The `deny-all` policy modifies the default network policy for ingress. If a pod isn't selected by another network policy in the namespace, ingress is *not* allowed. For information about how Kubernetes controls pod ingress when pods are selected by multiple network policies in a namespace, refer to [the Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/#isolated-and-non-isolated-pods). ## `ds-idrepo-ldap` policy The `ds-idrepo-ldap` policy limits access to `ds-idrepo` pods. Access can only be requested over port 1389, 1636, or 8080, and must come from an `am`, `idm`, or `amster` pod. This part of the network policy specifies that access must be requested over port *1389*, *1636*, or *8080*: ``` ingress: - from: ... ports: - protocol: TCP port: 1389 - protocol: TCP port: 1636 - protocol: TCP port: 8080 ``` This part of the network policy specifies that access must be from an `am`, `idm`, or `amster` pod: ``` ingress: - from: - podSelector: matchExpressions: - key: app operator: In values: - am - idm - amster ``` Understanding the example network policies and how to customize them requires some knowledge about labels defined in ForgeOps deployments. For example, `am` pods are defined with a label, `app`, that has the value `am`. You'll find this label in /path/to/forgeops/kustomize/base/am/kustomization.yaml file: ``` commonLabels: app.kubernetes.io/name: am app.kubernetes.io/instance: am app.kubernetes.io/component: am app.kubernetes.io/part-of: forgerock tier: middle app: am ``` ## `ds-cts-ldap` policy The `ds-cts-ldap` policy limits access to `ds-cts` pods. Access can only be requested over port 1389, 1636, or 8080, and must come from an `am` or `amster` pod. ## `ds-replication` policy `ds` pods in ForgeOps deployments are labeled with `tier: ds`; they're said to reside in the `ds` tier of the deployment. The `ds-replication` policy limits access to the pods on the `ds` tier. This policy specifies that access to `ds` tier pods over port 8989 can only come from other pods in the same tier. Note that port 8989 is the default DS replication port. This network policy ensures that only DS pods can access the replication port. ## `backend-http-access` policy The `backend-http-access` policy limits access to the pods in the `middle` tier, which contains the `am`, `idm`, and `ig` pods. Access can only be requested over port 8080. ## `front-end-http-access` policy The `front-end-http-access` policy limits access to the pods in the `ui` tier: the `login-ui`, `admin-ui`, and `end-user-ui` pods. Access can only be requested over port 8080. Note that users send HTTPS requests for the Ping Identity Platform UIs to the ingress controller over port 443. The ingress controller terminates TLS, and then forwards requests to the UI pods over port 8080.