4.2.2 Network Policy
The OCNADD is also shipped with Network Policies for ingress connections which are disabled by default.
The Network Policies can be categorized into three categories:
- Internal service Connections: The service connections that are
internal to the OCNADD namespace. To enable network policies, change the value of
global.network.policy.enable to true in
<chart-path>/values.yamlfile. By default, it is false.network: # enable network policies policy: enable: true - External service Connections: The service connections that are connecting to
the OCNADD namespace. The policy gets applied on connections from OCCNCC, OCSCP, OCNRF and
so on which are deployed outside the OCNADD namespace. To allow connections from specific namespaces (when network policies
are enabled), add the namespace to the namespaces list in
global.network.policy.ingress.namespaces of
<chart-path>/values.yamlfile as below:#allow ingress network connections from below namespaces namespaces: -occne-infra -occnccIn the above example, the connections from all pods of occne-infra (prometheus, grafana, etc.) and occncc namespace are allowed. Similarly add the SCP, and NRF namespace to this list.
- External service Connectionfrom specific IP address: This can be
enabled (disabled by default) to allow connections from specific IP address ranges
when Network Policy is enabled. In the below example, the connections from the
10.0.0.0/8 subnet are allowed. In other words, all connections from IP address
10.0.0.0 - 10.255.255.255 are
allowed.
# to allow external connections from postman, curl, etc. # only needed for development/debugging purposes external: enable:true cidrs: -10.0.0.0/8