Network policies
Kubernetes network policies let you specify specify how pods are allowed to communicate with other pods, namespaces, and IP addresses.
The forgeops
repository contains two sets of example network policies for the
Ping Identity Platform:
Customize the example policies to meet your security needs, or use them to help you better understand how network policies can make Kubernetes deployments more secure.
All the example policies have the value Ingress
in the spec.policyTypes
key:
spec: policyTypes: - Ingress
Network policies with this policy type are called ingress policies, because they limit ingress traffic in a deployment.
deny-all
policy
By default, if no network policies exist in a namespace, then all ingress and egress traffic is allowed to and from pods in that namespace.
The deny-all
policy modifies the default network policy for ingress. If a pod
isn’t selected by another network policy in the namespace, ingress is not
allowed.
For information about how Kubernetes controls pod ingress when pods are selected by multiple network policies in a namespace, refer to the Kubernetes documentation.
ds-idrepo-ldap
policy
The ds-idrepo-ldap
policy limits access to ds-idrepo
pods. Access can only
be requested over port 1389, 1636, or 8080, and must come from an am
, idm
,
or amster
pod.
This part of the network policy specifies that access must be requested over port 1389, 1636, or 8080:
ingress: - from: ... ports: - protocol: TCP port: 1389 - protocol: TCP port: 1636 - protocol: TCP port: 8080
This part of the network policy specifies that access must be from an am
,
idm
, or amster
pod:
ingress: - from: - podSelector: matchExpressions: - key: app operator: In values: - am - idm - amster
Understanding the example network policies and how to customize them requires
some knowledge about labels defined in ForgeOps deployments. For example,
am
pods are defined with a label, app
, that has the value am
. You’ll
find this label in
/path/to/forgeops/kustomize/base/am/kustomization.yaml file:
commonLabels: app.kubernetes.io/name: am app.kubernetes.io/instance: am app.kubernetes.io/component: am app.kubernetes.io/part-of: forgerock tier: middle app: am
ds-cts-ldap
policy
The ds-cts-ldap
policy limits access to ds-cts
pods. Access can only
be requested over port 1389, 1636, or 8080, and must come from an am
or
amster
pod.
ds-replication
policy
ds
pods in ForgeOps deployments are labeled with tier: ds
; they’re said to
reside in the ds
tier of the deployment.
The ds-replication
policy limits access to the pods on the ds
tier. This
policy specifies that access to ds
tier pods over port 8989 can only come from
other pods in the same tier.
Note that port 8989 is the default DS replication port. This network policy ensures that only DS pods can access the replication port.
backend-http-access
policy
The backend-http-access
policy limits access to the pods in the middle
tier,
which contains the am
, idm
, and ig
pods. Access can only be requested over
port 8080.
front-end-http-access
policy
The front-end-http-access
policy limits access to the pods in the ui
tier:
the login-ui
, admin-ui
, and end-user-ui
pods. Access can only be requested
over port 8080.
Note that users send HTTPS requests for the ForgeRock UIs to the ingress controller over port 443. The ingress controller terminates TLS, and then forwards requests to the UI pods over port 8080.