Kuberbetes Security: Network Policies
Network policies are Kubernetes resources that control the traffic between pods and/or network endpoints. They uses labels to select pods and specify the traffic that is directed toward those pods using rules.
The entities that a Pod can communicate with are identified through a combination of the following 3 identifiers:
- Other pods that are allowed (exception: a pod cannot block access to itself)
- Namespaces that are allowed
- IP blocks (exception: traffic to and from the node where a Pod is running is always allowed, regardless of the IP address of the Pod or the node).
NETWORK POLICIES IMPORTANT POINTS:
- Labels are mandatory
- If ingress/egress rule is blank, then it’s consider as deny all.
- If YAML is specified as LIST (-) then it’s OR condition, otherwise AND.
- Best Practice is deny all incoming & outgoing traffic. Then Open only those required.
- Allow only required traffic to your namspace pods.
- Protect node metadata and endpoints with Network Policy.
NETWORK POLICY RESOURCE:
podSelector: The example policy selects pods with the label "role=db". An empty
podSelector selects all pods in the.
policyTypes: Each NetworkPolicy includes a
policyTypes list which may include either
Egress, or both. The
policyTypes field indicates whether or not the given policy applies to ingress traffic to selected pod, egress traffic from selected pods, or both. If no
policyTypes are specified on a NetworkPolicy then by default
Ingress will always be set and
Egress will be set if the NetworkPolicy has any egress rules.
- protocol: TCP
- protocol: TCP
# Allow all ingress traffic
If you want to allow all incoming connections to all pods in a namespace, you can create a policy that explicitly allows that.
# Default deny all egress traffic
You can create a “default” egress isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any egress traffic from those pods.