kubernetesnetwork-programmingnginx-ingressgrafana-lokikubernetes-networkpolicy

Kubernetes NetworkPolicy: Allow egress only to internet, and Allow ingress only from ingress controller and promtail


By default pods can communicate with each other in Kubernetes, which is unwanted should a pod be compromised. We want to use NetworkPolicies to control inbound (ingress) and outbound (egress) traffic to/from pods.

Specifically pods should ONLY be able to:

What I have tried

1. Denying all ingress and egress

This is the default policy that we want to gradually open up. It blocks all ingress and egress.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-all
  namespace: mynamespace
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

2. Opening egress to internet only

We allow egress only to IP-adresses that are not reserved for private networks according to wikipedia.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: egress-allow-internet-only
  namespace: mynamespace
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16

3. Opening Ingress from ingress controller and loki

We have deployed the standard NginX Ingress Controller in namespace default, and it has the lable app.kubernetes.io/name=ingress-nginx. We have also deployed the standard loki-grafana stack to the default namespace, which uses promtail to transfer logs to Loki. Here I allow pods to recieve ingress from the promtail and ingress-nginx pods.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: ingress-allow-ingress-controller-and-promptail
  namespace: mynamespace
spec:
  podSelector: {}
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name=default
    - podSelector:
        matchLabels:
          app.kubernetes.io/name=ingress-nginx
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name=default
    - podSelector:
        matchLabels:
          app.kubernetes.io/name=promtail

So, does this configuration look right?

I am new to Kubernetes, so I hope you guys can help point me in the right direction. Does this configuration do what I intent it to do, or have I missed something? E.g. is it enough that I have just blocked egress within the private network to ensure that the pods are isolated from each other, or should I also make the ingress configuration as I have done here?


Solution

  • I have compared your Ingress with K8 Doc and Egress with this SO and deny Both ingress and Egress seems to be correct.The only thing we need to do is check whether all the name space is given correct or not. Seems to be correct as per your YAML file.

    But kubernetes pods use the DNS server inside Kubernetes; due to this DNS server being blocked, we need to define more specific IP ranges to allow DNS lookups. Follow this SO to define DNS config at pod levels and to get curl calls with domain names allow Egress to Core DNS from kube-system(by adding a namespace selecter (kube-system) and a pod selector (dns pods)).

    How to identify dns pod

    # Identifying DNS pod
    kubectl get pods -A | grep dns
    
    # Identifying DNS pod label
    kubectl describe pods -n kube-system coredns-64cfd66f7-rzgwk
    

    Adding DNS pod to NetworkPolicy

    kind: NetworkPolicy
    apiVersion: networking.k8s.io/v1
    metadata:
      name: egress-allow-internet-only
      namespace: mynamespace
    spec:
      podSelector: {}
      policyTypes:
      - Egress
      egress:
      - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16
      - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: "kube-system"
        - podSelector:
            matchLabels:
              k8s-app: "kube-dns"