I wrote a big article about Kubernetes here, which covers a lot of aspects of working with Kubernetes.
One more article in Kubernetes context was about Service Mesh pattern.
It is time to write third article. It is time to write an article that should cover the native Kubernetes features to allows us to secure network interactions between our applications and services in K8s.
Basics of Network Policy
Network Policy designed to manage traffic between pods in kubernetes cluster.
By default ( if no policies exist in a namespace ), K8s allows all pod-to-pod connections within the cluster.
When you add first policy it means that all traffic is blocked and allowed only according rules which you are providing in your Network Policies.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-app-network-policy
namespace: meetup-service-mesh-raw-k8s
spec:
podSelector:
matchLabels:
app: test-app-op-plus
version: v1
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
role: test-app-bff
ports:
- protocol: TCP
port: 8080
In this example, I defined rule only for ingress traffic for pods marked with labels: app: test-app-op-plus and version: v1.
This pod can accept incoming connections from pods which are marked with label role: test-app-bff by port 8080.
podSelector section defines for which pods will be applied traffic policies.
policyTypes: - it is second important section, this section can have two values Ingress and Egress or both.
Ingress here it is not Ingress rules for Ingress Controller. This is a different thing.
Ingress and Egress in network policies describes ingress and egress pod traffic.
Ingress- means ingress traffic. Incoming to pods which was defined above.Egress- means egress traffic. Outgoing from pods which was defined above.
It is very important to remember.
Network Policy can manage only pod-to-pod traffic.
This approach spawns some problems. In this case, when we are using kubernetes services like this
pod_A -> service_B -> pod_B we should create Network Policy for pods without Service and service ip pod_A -> pod_B.
This approach can lead to some confusion, errors and misconfiguration.
For Ingress we should define details in section ingress:. For Egress - section egress:.
Examples
Select all pods
podSelector: {} - means all pods in namespace
Block all traffic
There is not "deny" policies in K8s. Same affect we can reach with following rules.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
# https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
spec:
podSelector: {}
policyTypes:
- Egress
# https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-egress-traffic
Allow all traffic
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-ingress
spec:
podSelector: {}
ingress:
- {}
policyTypes:
- Ingress
# https://kubernetes.io/docs/concepts/services-networking/network-policies/#allow-all-ingress-traffic
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-egress
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Egress
# https://kubernetes.io/docs/concepts/services-networking/network-policies/#allow-all-egress-traffic
Namespaces and Network Policy
Pod selectors in Network Policy allow to select pods from:
- one namespace
- different namespaces. one for target and one for traffic source
- multiple namespaces in one selector
This feature allows us to configure interactions between pods in different namespaces or block all communications and isolate pods in between namespaces.
Egress and DNS
When Network Policy blocks egress traffic, it means all traffic will be blocked, including DNS requests which are used as service discovery mechanism in K8s.
Better way to allow DNS manually:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
Some materials
Network Policies
Введение в сетевые политики Kubernetes для специалистов по безопасности