Every Kubernetes pod has an IP address in the pod network that is reachable within the cluster. The system uses the weave-net
plugin for inter-node communication.
All services with a REST API must be accessed from outside the cluster using the Istio Ingress Gateway. This gateway can be accessed using a URL in the following format:
https://api.SYSTEM-NAME_DOMAIN-NAME
The API requests then get routed to the appropriate node running that service.
All services running inside the cluster can access each other using their pod IP address or the service’s cluster IP address, along with the service’s exposed port. The exception to this is a service that has a Cray REST API. These services are configured such that they must be accessed through the API gateway service.
Kubernetes supports network policies to limit access to pods. Therefore, services running inside the cluster generally cannot access each other using their pod IP address
or the service’s cluster IP address. Any other services that must be accessed through a protocol other than REST, can do so using the cluster VIP and the service’s NodePort
.
Only services that are configured to expose a NodePort
or ExternalIP
can be accessed from outside the cluster.
As part of the SMS installation, the following network policies are configured on the system:
keycloak-database
: Allows only keycloak
to access the keycloak
Postgres instancesma-zookeeper
: Allows only Apache Kafka to access the SMA Zookeeper instancesma-postgres
: Allows only Grafana to access the SMA Postgres instancehms-mariadb
: Allows only SMD to access the MariaDB
instancehms-badger
: Allows only badger services to access the badger Postgres instanceapi-gateway-database
: Allows only the API gateway to access the API gateway Postgres instanceapi-gateway-upstream
: Allows only the API gateway to access the upstream servicesvcs-database
: Allows only Gitea to access the VCS instanceTo learn more about Kubernetes, refer to https://kubernetes.io/.