Deploying the Network Policy

Ensure that only approved visitors (such as the ISV frontend and inference container) can access the AI-VAULT service. The following is an example network policy, which is used to restrict access to AI-VAULT. You can modify the network policy based on your security configuration requirements and network configuration.

1. Create a YAML file to configure a network policy. For details, see the following configuration example. Port 8180 of AI-VAULT can be accessed only by the pod with the apigw label and the mindx namespace label. The label name and value can be customized.
   Run the vi ai-vault-network-policy.yaml command to create the file. Run the :wq command to save the file.

   apiVersion: networking.k8s.io/v1
   kind: NetworkPolicy
   metadata:
     name: ai-vault-network-policy
     namespace: mindx
   spec:
     podSelector:
       matchLabels:
         app: ai-vault 
     policyTypes:
     - Ingress
     ingress:
       - from:
         - namespaceSelector:
             matchLabels:
               name: mindx      
           podSelector:
               matchLabels:
                 app: apigw
         ports:
           - protocol: TCP
             port: 8180

2. Run the kubectl apply command to enable the configuration.

   kubectl apply -f ai-vault-network-policy.yaml

3. Run the kubectl get networkpolicy command to check whether the configuration takes effect.

   kubectl get networkpolicy -n mindx