Namespaces without labels

Namespaces must be labeled for Kubernetes Network Policies (KNPs) to define ingress and egress rules.

If a namespace is not labeled, an error is displayed in the network security policy tool.

For example, if the Kube-system namespace is missing labels, you get the following error message:

All communications are displayed as allowed because a policy can't be generated: you need to assign labels to this namespace.: kube-system

To resolve this issue, assign a label to the namespace. It will take a few minutes for the change to be detected by IBM Cloud Security and Compliance Center Workload Protection.

Cluster subnet is incomplete

To categorize unresolved IP addresses as being inside of outside a cluster, the agent needs to know the CIDR block ranges belonging to the cluster. By default the agent looks at the kube-apiserver and kube-controller-manager processes.

If the cluster subnets cannot be discovered automatically, a message that the cluster subnet is incomplete is displayed in the network security policy tool.

To resolve this issue, configure CIDR block entries for your environment.

If configuring CIDR block entries for your environment doesn't resolve the issue, you might need to configure the agent to look for CIDR block ranges in other processes. Add the following to your agent configmap file:

network_topology:
  pod_prefix_for_cidr_retrieval:
[<PROCESS_NAME>, <PROCESS_NAME>]

Where PROCESS_NAME is the name of the process to be searched.