Network Policies

Lens AppIQ enables Operators and Developers to enforce and apply network policies at the policy and application layer levels.

The guide below gives operators details on which policies are available and how to enforce them at the policy level.

Policy Level Network Policies

Operators can define network policies as one of the rules of any Policy. When doing so these will get applied to any application deployed on namespaces monitored by such a policy.


Discovered applications

It is important to mention, that these network constraints will be enforced only on apps deployed with our engine. Apps deployed outside of Lens AppIQ will be only evaluated against such rules, and their compliance state reported in our violation report

Even though network policies are applied at deployment time, operators can still give developers the autonomy to adjust these for individual applications post-deployment.

Network policies can be defined when creating or editing policies through the Lens AppIQ dashboard, in the Network Policy Setup option.

When defining network policies on Lens AppIQ, you will be able to define both ingress and egress.

Policy Modes

Lens AppIQ gives you flexibility on the policy modes that you can define when creating the policy and defining your network policies:

Each option is described below:

allow-allThere is no constraint whatsoever in the traffic incoming/outgoing to/from the application. All communication is permitted.
deny-allAll traffic incoming/outgoing the application is blocked. All communication is denied (no traffic can flow or reach the app).
allow-shipa-rules-onlySet of predefined policies built by Lens AppIQ to provide reasonable defaults to users to restrict the traffic of their applications. They intend to cover common use cases and can be combined depending upon the purpose:

traefik: Pre-defined policy based on k8 selectors (podSelectors/namespaceSelectors) that restricts the network traffic to flow through the ingress of the cluster only (a cluster using traefik as the ingress controller). Container-to-container communication is prohibited, and direct access from the “outside world” to the running containers of the apps is also restricted. The application is accessible through Lens AppIQ generated endpoint

istio: Same as the previous pre-defined policy, but oriented to allow traffic only through ingress using istio as the controller.

kube-dns: Pre-defined policy that allows applications to resolve DNS-like addresses when other constraints exist. For example, if the traffic is enabled only for specific apps/services and the subject app needs to reach the DNS of another app (i.e., it will need the ability to resolve the suggested DNS.

When the policy mode allow-shipa-rules-only is used, only Shipa’s predefined rules can be selected and combined between each other. Other customizations won’t be allowed
allow-custom-rules-onlyIt allows users to build their own network rules to have more granular control over which apps/services have access to their deployed app. The custom rules are the result of enabling:

- Traffic from/to other Lens Apps apps
- Traffic from/to other Lens Apps policies
- Traffic from/to specific IP addresses (CIDRs)
- Traffic from/to specific Ports (UDP/TCP)
- Traffic from/to other Kubernetes services/apps running out of Shipa based on podSelectors/namespaceSelectors (advanced users)
allow-rules-onlyPolicy mode that allows combining “custom rules” and Lens AppIQ “pre-defined rules” together. Another level of customization

Rule Configuration

Lens AppIQ gives you 4 levels of policy restrictions to be applied to applications when defining network rules:

  • Ports: the ports where your application can receive and send traffic through.
  • Peers: it enables you to implement selectors specified in an ingress from section or egress to section. Options are Pod Selector, Namespace Selector, and IP Block.

App Level Customization

When defining network policies at the policy level, you can either allow or block application owners to customize the network policies applied to their applications post-deployment.

This is available through the Allow app-level policies option.

If this option is selected, application owners will have the option to customize individual application-level network policies enabled for their applications post-deployment.