Kubernetes allows Big Bang operators to utilize [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to control the network traffic into or out of the various pods of a Kubernetes cluster. These network policies allow you to restrict incoming and outgoing traffic to or from a given set of pods using selectors. [Selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) allow you to select which pods a given networkPolicy will apply to.
Network Policies are added as needed to supplement other good security practices; such as proper usage of TLS, only exposing necessary ports, and using other standard controls. However, Network Policies allow you to express additional control over what can connect to the pods in your cluster from outside; which pods in your kubernetes cluster can speak to each other internally; and which things those pods can initiate connections to outside of the cluster.
## Enabling or Disabling Network Policies
BigBang packages and community addons ship with various network policies already configured. You can turn these networking policies on and off by setting a global flag and a per-component flag.
```
# This will turn support on or off for network policies writ-large across the bigbang suite
networkPolicies:
enabled: [true|false]
# For bigbang core components (such as eck-operator, monitoring, etc), this will turn on or off support for network policies in a core component
COMPONENT_NAME:
values:
networkPolicies:
enabled: [true|false]
# For bigbang packages (such as minio, istio, etc), this will turn on or off support for network policies in a specific addon
addons:
ADDON_NAME:
values:
networkPolicies:
enabled: [true|false]
# For community packages (such as jira), this will turn on or off support for network policies in a specific package
package:
PACKAGE_NAME:
values:
networkPolicies:
enabled: [true|false]
```
## Crafting and Delivering Additional Network Policies
Sometimes you will want to apply additional [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to further isolate certain pods in your deployment. BigBang has adopted standardized mechanisms for crafting and deploying these Network Policies through the values provided to your BigBang components or community add-ons.
For BigBang core components, you place these rules inside of the values for the given component:
```
COMPONENT_NAME:
values:
networkPolicies:
enabled: true
additionalPolicies: []
```
For BigBang packages, you place these rules inside of the values for the given package:
```
addons:
ADDON_NAME:
values:
networkPolicies:
enabled: true
additionalPolicies: []
```
For community packages (such as JIRA), you add these rules inside of the values for the package:
```
packages:
PACKAGE_NAME:
values:
networkPolicies:
enabled: true
additionalPolicies: []
```
In all cases, the `additionalPolicies` entry should be a list of YAML objects, each describing a single [Network Policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/). You can add as many of these as you like. Consult [the upstream Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/) for more information on Network Policies, and what you can do with them.
*[Kubernetes Labels and Selectors Documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
*[Big Bang Developer Guide for Package Implementation](../../developer/develop-package.md)
*[Big Bang Developer Guide for Package Integration regarding Network Policies](../../developer/package-integration/network-policies.md)
For more information regarding the behavior of a specific core component, bigbang package or community package, you should always reference the documentation for the specific BigBang component, bigbang package or community package in question. Information specific to any given component, bigbang package or community package is outside the scope of this documentation.
