Network policies
IBM Industry Solutions Workbench now supports network policies that limit ingoing and outgoing traffic in the namespaces where Solution Designer and Solution Hub are running. Additionally, ingoing traffic is also limited for deployed projects designed and implemented with IBM Industry Solutions Workbench. While these network policies are enabled by default, the following chapter describes how you can disable and configure these security measures.
Reviewing and changing the configuration of Egress is mandatory, otherwise IBM Industry Solutions Workbench is not able to work properly.
Ingress (ingoing traffic)
The ingress policy blocks traffic from outside into the namespace where IBM Industry Solutions Workbench is installed or the service project is deployed.
To disable the ingress policy, you need to configure the ISW Custom Resource and
set values.global.network.ingressPolicy.enabled to "false". For more information how to configure this, see the
documentation about
the ISW Custom Resource.
After the change the ingress network policy will be disabled for the namespace where IBM Industry Solutions Workbench is installed and all
k5projects.
Egress (outgoing traffic)
The egress policy blocks traffic from the namespace where IBM Industry Solutions Workbench is installed to any destination outside the
cluster (a Route on the same cluster is also seen as "outside the cluster"). K5projects though, are not affected by
this policy.
If you don't use OpenShiftSDN see Workaround for clusters without OpenShiftSDN.
Configure Egress
Every public route or destination must be specifically allowed in the EgressNetworkPolicy. To allow certain outgoing
traffic, you need to configure the ISW Custom Resource and add entries to values.global.network.egressPolicy.allowList
.
For more information how to configure this, see the documentation about
the ISW Custom Resource.
Disable Egress
To disable the egress policy, you need to configure the ISW Custom Resource and
set values.global.network.egressPolicy.enabled to "false". For more information how to configure this, see the
documentation about
the ISW Custom Resource.
After the change the egress network policy will be disabled for the namespace where IBM Industry Solutions Workbench is installed and
outgoing traffic is not forbidden anymore.
Workaround for clusters without OpenShiftSDN
It is mandatory to use OpenShiftSDN as network plugin, otherwise EgressNetworkPolicy CustomResourceDefinition (CRD)
is not available and does not work. If you use another network plugin than OpenShiftSDN and can not switch, you must
apply the following workaround and disable Egress.
Step 1: Disable egress in deployment
- Open the ClusterServiceVersion of your IBM Industry Solutions Workbench Operator. That can be done by navigating in the web console to Operators -> Installed operators -> IBM Industry Solutions Workbench -> YAML
- Add the following environment variable to
spec.install.spec.deployments[0].spec.template.spec.containers[0].env:- name: DISABLE_EGRESS value: 'true'
Step 2: Disable Egress
After disabling Egress in the deployment of the operator, you need to disable Egress in every ISW CustomResource as well, see the section Disable Egress.