Kubernetes allows Big Bang operators to utilize [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)´ to control the network traffic into or out of various components of the pods of a Kubernetes cluster. These network policies allow you to restrict incoming and outgoing traffic to or from a given set of pods by pods, namespaces, or IP blocks. Network Policies are not required in all cases; proper usage of TLS, only exposing necessary ports, and using other standard controls already provide for good security. However, Network Policies allow you to have much finer grained control over which components of your kubernetes cluster can speak to each other, and which things they can communicate outbound to.
BigBang components ship with various network policies already configured. You can turn these networking policies on and off by setting a global flag and a per-component flag.
```
# This will turn on support for network policies writ-large across the bigbang suite
networkPolicies:
enabled: true
# This will turn on support for network policies in a specific component
addons:
COMPONENT_NAME:
values:
networkPolicies:
enabled: true
```
You should always reference the documentation for the specific BigBang component (or community addon) in question to reference how to enable network policies, as well as to understand which network policies are applied by a specific component. Such documentation is outside the scope of this documentation.
Sometimes you will want to apply additional [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to further isolate certain pods in your deployment. BigBang has adopted standardized mechanisms for crafting and deploying these Network Policies through the values provided to your BigBang components or community add-ons.
For BigBang packaged components, you place these rules inside of the values for the given component:
```
addons:
COMPONENT_NAME:
values:
networkPolicies:
enabled: true
additionalPolicies:
- name: example-egress-policy-all-pods
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 172.20.0.0/12
- name: example-ingress-policy-all-pods
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 172.20.0.0/12
```
For community addons (such as JIRA), you add these rules inside of the values for the package:
```
packages:
PACKAGE_NAME:
values:
networkPolicies:
enabled: true
additionalPolicies:
- name: example-egress-policy-all-pods
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 172.20.0.0/12
- name: example-ingress-policy-all-pods
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 172.20.0.0/12
```
In either case, the `additionalPolicies` entry should be a list of YAML objects, each describing a single [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/). You can add as many of these as you like. Consult [the upstream Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/) for more information on Network Policies, and what you can do with them.
