• Actualités techniques
• Blockchain
• Business model and startup mistakes
• Devoxx
• Docker and Kubernetes
  • Docker
  • Kubernetes Admin
  • Kubernetes Core
    • Accessing a Kubernetes cluster
    • Acronyms
    • Architecture
    • Configuration
    • Installation
    • Linux Foundation
    • Object types
    • Security and monitoring
      • 1. Authentication
      • 2. Authorization
      • 3. Admission Control
      • Limit and Quota Management
      • Liveness and Readiness Probes
      • Monitoring, Logging, Troubleshooting
      • Network Policies
      • Pod Security Policies
      • Security Context
    • Volumes
  • Kubernetes Ecosystem
• GIT
• GitHub
• Jenkins
• Languages
• Legal aspects
• Management et RH
• Organisation
• Privacy
• RDF
• Reactive and microservices
• Security
• Software Engineering
• Spring
• SQL and NoSQL
• UML
• Web Design

Network Policies

Network Policies
Network Policy recipes (GitHub)
Guide to Kubernetes Ingress Network Policies (StackRox)
Guide to Kubernetes Egress Network Policies (StackRox)

Network Policies are sets of rules which define how Pods are allowed to talk to other Pods and resources inside and outside the cluster.
→ kind of firewalls

ingress / egress

• traffic to a pod from an external network endpoint outside the cluster is allowed if ingress from that endpoint is allowed to the pod.
• traffic from a pod to an external network endpoint outside the cluster is allowed if egress is allowed from the pod to that endpoint.
• traffic from one pod (A) to another (B) is allowed if and only if egress is allowed from A to B and ingress is allowed to B from A. Note that controls are unidirectional – for traffic from B to be allowed to initiate a connection to A, egress must be allowed from B to A and ingress to B from A.

Important notes

A deny all rule is a best practice !

• by default, everything is allowed on the network
• if a pod is selected by a policy (podSelector) everything on this pod is blocked, excepted what is allowed.
• if a pod is not selected by a policy, the default remains... everything is allowed.
• thoses rules are evaluated independently for ingress and egress

network policies are namespaced resources
You will need to create a deny all policy for each namespace!

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress

ingress configuration first
While it is usually relatively straightforward to figure out from which network endpoints we expect communications to a pod, it is, in practice, usually much harder to figure out to which network endpoints connections from a pod go.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: ingress-egress-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
  - namespaceSelector:
      matchLabels:
        project: myproject
  - podSelector:
      matchLabels:
        role: frontend
  ports:
  - protocol: TCP
    port: 6379
egress:
- to:
  - ipBlock:
      cidr: 10.0.0.0/24
  ports:
  - protocol: TCP
    port: 5978

Proudly Powered by Zim 0.75.2.

Template by Etienne Gandrille, based on ZeroFiveEight and using JQuery Toc Plugin.