Skip to main content

Network Policies

Network Policies allow us to control access to the pods and between the pods. They are implemented in the chart using standard Kubernetes definitions.

The chart is testing on clusters using Calico for Network Policies.

Configuring Network Policies

Disabling Network Policies

To completely disable network policies:

networkPolicy:
enabled: false

This will turn off all control. It may be useful when determining if access to a service is blocked by the default policies. But in general and certainly in production, this should not be disabled.

Configuring CIDRs

Globally we can configure CIDRs to allow access for:

  • LoadBalancers
  • OIDC provider
  • Databases
  • Blog stores

Default

The default configuration has most things disable:

networkPolicy:
cidr:
loadBalancers: []
oidcProvider:
- ports:
- 443
store:
cases: []
definitions: []
attachments: []

This prevents access from LoadBalancers, allows OIDC on port 443 and prevents any database or blob store access.

CIDR

We can control network ranges that are allow ingress and egress as follows:

networkPolicy:
cidr:
loadBalancers:
- cidr: 0.0.0.0/0
except:
- 10.1.0.0/8

This allows any IP on the internet to access the cluster except those in 10.1.0.0/8

Port

In cases where we are not concerned about the IP but only the port we can do the following:

networkPolicy:
cidr:
oidcProvider:
- ports:
- 443

This would allow the apps to contact the OIDC provider at any IP address but only on port 443.