Modified: for 12.1.2



The SBC CNe environment is enhanced to ensure containerized applications' security and controlled communications. The SBC CNe provides security and controlled communications through NetworkPolicy. The NetworkPolicy functionality within the SBC CNe environment is crucial for enhancing security and controlling pod communication. The following is an overview of the functionalities of NetworkPolicy:

  • Traffic Control: The NetworkPolicy allows operators to define fine-grained rules for Ingress traffic. Ingress rules govern incoming traffic to pods, specifying which ports are allowed.
  • Pod Selection Criteria: Pods affected by the NetworkPolicy are selected based on labels, allowing for flexible and dynamic targeting.
  • Namespace-level Isolation: The NetworkPolicy supports namespace-level isolation by controlling communication based on namespace selection. The namespace level isolation ensures pods in different namespaces adhere to defined communication rules, contributing to a more secure and organized Kubernetes environment.
  • Enhanced Security: The NetworkPolicy significantly reduces the attack surface by enforcing communication rules and limiting potential security threats. Unauthorized or unnecessary communication is restricted, preventing unintended access between pods.

The feature is composed of the following five components:

  • NetworkPolicy: Represents the overarching configuration entity of the NetworkPolicy system; defines the rules and constraints for communication between pods within the Kubernetes cluster.

  • MetadataHolds essential metadata about the NetworkPolicy, including its name and the namespace to which it belongs; enables proper identification and organization of NetworkPolicy instances.

  • PodSelectorSpecifies criteria for selecting pods affected by the NetworkPolicy rules; uses the "matchLabels" field to target pods with specific labels, such as those belonging to a particular group.

  • PolicyTypes: Enumerates the types of policies applied by the NetworkPolicy; includes Ingress, which allows for control over incoming pod communication.

  • Ingress: Governs Ingress traffic, controlling incoming communication to pods affected by the NetworkPolicy; defines sources allowed to communicate, including pods within the same namespace; CIDR based traffic allowed; and will also allow communication to the prometheus pods on the other namespace, based on the configuration.

NetworkPolicy is enabled automatically on the SBC CNe environment. Users can configure the NetworkPolicy for inter-pod communication by editing the "values.yaml" and "networkPolicy.yaml" files.

NetworkPolicy Configuration
  networkPolicy:
    enabled: True
    cidr:
      enabled: False
      subnets:
      - 10.231.0.0/16
      #- 10.232.0.0/16
 

networkPolicy: This parameter controls whether network policies are applied in the Kubernetes cluster. By default, it is set to False.

When set to True, it indicates that Kubernetes Network Policies are enforced.

Network Policies in Kubernetes are used to define how pods communicate with each other and other network endpoints.

Enabling this means that the cluster will enforce rules that control the ingress traffic to the pods.

networkPolicy:
  enabled: True

 

cidr: This parameter specifies whether CIDR-based network policies are enabled. By default, it is set to False.

"When set to True, it means that the cluster will allow specified CIDR ranges for network policies.

CIDR (Classless Inter-Domain Routing) is used to define IP address ranges.

Disabling this means that any CIDR-related configuration in the subnets section will be ignored.

cidr:
  enabled: False

 

subnets: This parameter lists the CIDR subnets that would be used if cidr.enabled were set to True.

These subnets define the IP address ranges that could be used in network policies if CIDR-based network policies were enabled.

Each subnet specifies a range of IP addresses in CIDR notation.

cidr:
  subnets:
  - 10.231.0.0/16
  #- 10.232.0.0/16


10.231.0.0/16 : Specifies a subnet range. If cidr.enabled were True.

The policy will allow all traffic from the specified range.


configMap:
  metrics:
    enable: true
    ...
    output:
    - server: "prometheus"
      # Set enabledInOtherNamespace to true if Prometheus is deployed in a different namespace.
      # Specify the namespace where Prometheus is deployed.
      # This is required for setting the network security group rules.
      enabledInOtherNamespace: false
      prometheusNamespace: "prometheus-namespace"

enabledInOtherNamespace: This parameter controls whether Prometheus is deployed in another namespace. Default Value: False
When set to True, it allows ingress traffic from namespace where Prometheus is deployed.
prometheusNamespace: Specify the namespace where Prometheus is deployed.

Set enabledInOtherNamespace to true and specify the prometheusNamespace.
This configuration will allow SBC to accept ingress traffic from the Prometheus pod