Main Content

Configure Network Policies

Determine how groups of pods are allowed to communicate with each other and with other network endpoints. You can modify the network policies for these MATLAB® Online Server™ services running inside a Kubernetes® cluster:

  • authnz (authentication)

  • core-ui (UI-related files)

  • gateway (proxies the requests to the appropriate resource)

  • MATLAB Pool (remote MATLAB resources)

  • resource (acquires the MATLAB resource for the user)

This topic describes how to enable network policies and customize rules for providing communication with external systems, for example, LDAP, databases, and other internal services.

Prerequisites

Before you begin, make sure you have completed the following tasks:

  • Install and then configure MATLAB Online Server. See Single Machine Installation.

  • Familiarize yourself with Kubernetes network policies. See Network Policies at kubernetes.io.

  • Create a Kubernetes cluster with a network policy plugin installed.

    • If you have a Kubernetes cluster that was created using mosadm bootstrap-node, then Kube-Router is preconfigured as a network policy plugin.

    • If you have a managed Kubernetes cluster (either from a cloud provider or a custom setup in-house Kubernetes cluster), you must install and then validate the network policy adapter before following the instructions in this section. (If you need to, refer to Install a Network Policy Provider at kubernetes.io. Make sure you that the instructions you follow align with the Kubernetes version you are using).

    • If you are already using the network policy adapter, then you can proceed without any further setup.

Network Policy Configuration Workflow

Securing network connections revolves around defining egress and ingress rules. For a Kubernetes pod:

  • Ingress refers to incoming connections to the pod.

  • Egress refers to outgoing connections from the pod.

In Kubernetes network policy, you create "allow" rules for ingress and egress independently (egress, ingress, or both).

This topic focuses on customizing egress rules. If you have use cases to customize the ingress rules, contact MathWorks Support.

To customize the egress rules for a service, follow this workflow.

  1. Open the YAML override file for the service:

    <server-root>/overrides/<cluster-name>/<namespace-name>/<service-name>.yaml

    The YAML file you need to update depends on the service or deployment you are enabling communication with.

  2. Open the default egress policy for the service:

    <server-root>/charts/<service-name>-chart/values.yaml

  3. Copy the networkPolicy field from the values.yaml file into the overrides/.../<service-name>.yaml file.

    Any egress rules defined in <service-name>.yaml override the default rules defined in values.yaml. If you do not copy the networkPolicy field from values.yaml to the override file, the default egress rules for that service instance do not apply.

    Note

    For the MATLAB Pool service only, you can allow additional ports and egress rules without having to override the default network policy. For more details, see Allow Additional Ports and Egress.

  4. In the egress subfield of networkPolicy, customize the egress rules based on your network policy.

    • For more details on network policies you can update, see the examples in this topic.

    • For more advanced customizations of egress rules not covered in the examples, see Network Policies in the Kubernetes documentation.

  5. Redeploy MATLAB Online Server by using the mosadm command.

    ./mosadm undeploy
    ./mosadm deploy

Enable and Disable Network Policies

Network policies are enabled by default for all services and deployments.

To enable or disable all network policies, make the following YAML configuration part of the override for that service:

networkPolicy:
 enabled: true

You can make the above configuration part of all.yaml.

Allow Additional Ports and Egress

To allow outgoing connections to additional ports, add the port number and optional protocol to the ports field. For example:

networkPolicy:
  enabled: true
  egress:
    - ports:
      - port: 1433
        protocol: "TCP"
      - port: 1433
        protocol: "UDP"

For the MATLAB pool only, you can allow connections to ports in addition to the ones listed in the default policy. In the networkPolicy field, uncomment the additionalAllowedPorts section and specify the additional ports and optional protocols allowed. For example:

networkPolicy:
  enabled: true
  additionalAllowedPorts:
    - port: 1433
      protocol: "TCP"
    - port: 1433
      protocol: "UDP"

You can also specify additional egress rules for the MATLAB pool. In the networkPolicy field, uncomment the additionalEgress section and specify the additional rules. For example:

networkPolicy:
  enabled: true
  additionalEgress:
    - to:
      - podSelector:
          matchLabels:
            name: "myapp-api"
            app: "myapp"

Block IP Addresses

To block outgoing communication to certain IP addresses, add the block addresses to the except field. For example:

networkPolicy:
  enabled: true
    egress:
      to:
      - ipBlock:
          cidr: "0.0.0.0/0"
          except:
            - 169.254.169.0/24
            - 192.168.0.0/24

Integrate with Databases

Database Toolbox™ provides functions and an app for exchanging data with relational and nonrelational databases. The toolbox enables this exchange by automatically converting between database and MATLAB data types.

Database Toolbox (on Linux®) supports any JDBC-compliant relational database, as well as NoSQL databases including Cassandra®, MongoDB®, and Neo4j®.

For instructions on connecting to a database using MATLAB, see the Database Toolbox documentation in the Help Center.

Databases expose a port to communicate with JDBC-compliant clients, such as MATLAB. For clients to communicate with the database server, you must customize the firewall and network policy to open the port to communicate. Customize the network policy in the matlab-pool.yaml override file:

<server-name>/overrides/<cluster-name>/<namespace-name>/matlab-pool.yaml

For example, suppose you want to enable communication between MATLAB and a MySQL database server with these details:

  • Server: mymsql.company.com

  • JDBC port: 3306 (the standard one)

For MATLAB to communicate with the database server, the policy must allow access to the following ports:

  • 53 – mwsql.company.com needs a DNS lookup

  • 3306 – JDBC client (MATLAB) needs to communicate with the JDBC server (database)

The overall network policy configuration is specified as shown:

networkPolicy:
  enabled: true
  egress:
    - to:
      - ipBlock:
          cidr: "0.0.0.0/0"
          except:
            - 169.254.169.0/24
      ports:
      # allow dns access
      - port: 53
        protocol: "TCP"
      - port: 53
        protocol: "UDP"
      # allow standard http/https port access
      - port: 80
        protocol: "TCP"
      - port: 443
        protocol: "TCP"
      # allow access to MathWorks License Manager server port
      - port: 27000
        protocol: "TCP"
      - port: 27001
        protocol: "TCP"
      # allow access on a variety of nfs related ports
      - port: 111
        protocol: "UDP"
      - port: 111
        protocol: "TCP"
      - port: 612
        protocol: "UDP"
      - port: 2049
        protocol: "TCP"
      - port: 2049
        protocol: "UDP"
      - port: 20048
        protocol: "UDP"
      - port: 20048
        protocol: "TCP"
      - port: 33668
        protocol: "UDP"
      - port: 33743
        protocol: "TCP"
      - port: 38494
        protocol: "UDP"
      - port: 36663
        protocol: "TCP"
      - port: 38494
        protocol: "UDP"
      - port: 40051
        protocol: "TCP"
      - port: 52241
        protocol: "TCP"
      - port: 3306
        protocol: "TCP"

For more details, see Integrate MATLAB Online Server with Database Toolbox.

Enable Communication with Internal LDAP Server

Lightweight Directory Access Protocol (LDAP) is an open, cross-platform protocol for accessing information from a server.

authnz is one of the services in MATLAB Online Server that is responsible for communicating with the LDAP server to authenticate the user.

LDAP server details:

  • Server: myldap.company.com

  • LDAP port: 343

  • LDAPS port: 643

  • Override file: authnz.yaml

For authnz to communicate to the LDAP server, the policy must allow access to the following ports:

  • 53 – myldap.company.com needs a DNS lookup

  • 343, 643 – authnz needs to bind to the LDAP server

The overall network policy configuration is specified as shown:

networkPolicy:
  egress:
    - ports:
      # allow dns access
      - port: 53
        protocol: "TCP"
      - port: 53
        protocol: "UDP"
      # allow standard http/https port access
      - port: 80
        protocol: "TCP"
      - port: 443
        protocol: "TCP"
      # allow standard ldap(s) port access
      - port: 343
        protocol: "TCP"
      - port: 643
        protocol: "TCP"

See LDAP Authentication in MATLAB Online Server for more details.

Integrate with External Web Services

The MATLAB RESTful web services functions webread, websave, webwrite, and weboptions allow non-programmers to access many web services using HTTP GET and POST methods. However, some interactions with a web service are more complex and require functionality not supported by the RESTful web services functions. Use the HTTP interface classes for writing customized web access applications.

For more information on web access using MATLAB, see the MATLAB documentation in the Help Center.

These web services also expose a port (typically 80 and 443) to communicate with clients, such as MATLAB. For clients to communicate with these services, you must customize the firewall and network policy to open the port to communicate. Update the network policy in the matlab-pool.yaml override file:

<server-name>/overrides/<cluster-name>/<namespace-name>/matlab-pool.yaml

For more details on configuring MATLAB network communication, see Configure MATLAB in MATLAB Online Server.

View Default Network Policies

The preferred method of customizing network policies is to update the overrides/.../<service-name>.yaml files. However, when overriding egress rules, it is recommended that you view the existing network policies and copy over any policies that still apply.

Default authnz Network Policies

The authnz microservice has the following default egress rules defined in matlab_online_server/charts/authnz-chart/values.yaml:

networkPolicy:
  egress:
    - ports:
      # allow dns access
      - port: 53
        protocol: "TCP"
      - port: 53
        protocol: "UDP"
      # allow standard http/https port access
      - port: 80
        protocol: "TCP"
      - port: 443
        protocol: "TCP"
      # allow standard ldap(s) port access
      - port: 389
        protocol: "TCP"
      - port: 636
        protocol: "TCP"
      # allow redis master/replicas
      - port: 6379
        protocol: "TCP"
      # allow redis sentinel
      - port: 26379
        protocol: "TCP"

As specified by this policy override, the authnz microservice can talk to the following ports:

  • 53 – Used to make DNS lookups

  • 80, 443 – Used to communicate with other HTTP(s) services (for example, http(s)://www.mathworks.com)

  • 389, 636 – Used to communicate with the LDAP(s) server (for example, ldap:389)

  • 6379, 26397 – Used to communicate with Redis™ services

Default MATLAB Pool Network Policies

The MATLAB Pool microservice has the following default egress rules defined in <server-root>/charts/matlab-pool-chart/values.yaml:

defaultNetworkPolicy:
  egress:
    - to:
      - ipBlock:
          cidr: "0.0.0.0/0"
          except:
            - 169.254.169.0/24
      ports:
      # allow dns access
      - port: 53
        protocol: "TCP"
      - port: 53
        protocol: "UDP"
      # allow standard http/https port access
      - port: 80
        protocol: "TCP"
      - port: 443
        protocol: "TCP"
      # allow access to the flexlm server port
      - port: 27000
        protocol: "TCP"
      - port: 27001
        protocol: "TCP"
      # allow access on a variety of nfs related ports
      - port: 111
        protocol: "UDP"
      - port: 111
        protocol: "TCP"
      - port: 612
        protocol: "UDP"
      - port: 2049
        protocol: "TCP"
      - port: 2049
        protocol: "UDP"
      - port: 20048
        protocol: "UDP"
      - port: 20048
        protocol: "TCP"
      - port: 33668
        protocol: "UDP"
      - port: 33743
        protocol: "TCP"
      - port: 38494
        protocol: "UDP"
      - port: 36663
        protocol: "TCP"
      - port: 38494
        protocol: "UDP"
      - port: 40051
        protocol: "TCP"
      - port: 52241
        protocol: "UDP"

As specified in this policy override, MATLAB can talk to the following ports and IP addresses.

Ports:

  • 53 – Used to make DNS lookups

  • 80, 443 – Used to communicate with other HTTP(s) services (for example, http(s)://www.mathworks.com)

  • 27000, 27001 – Used to communicate with the network license manager for checking out MATLAB licenses

    • These ports are controlled by license.dat.

    • See Resolve License Service Issues for information on how to make sure these ports are fixed in the license file.

  • 111, 612, 2049, 20048, 33668, 36663, 33743, 38494, 40051, 52241 – Used for communicating with the NFS server

    • These are standard ports, and their actual values can vary based on the internal NFS configuration.

    • These ports can be derived leveraging the Linux commands portmap or lsof on the NFS server.

IP addresses:

  • Allows access to all the IP addresses except the following range: 169.254.169.0/24

    • In this example, the IP range 169.254.169.0/24 is blocked to prohibit access to the Amazon EC2® metadata service (if the node is running on AWS®).

Related Topics