Kubernetes Network Policies (NetworkPolicy) Resources declaratively manage network access (ingress, egress) within a Kubernetes cluster. Network Policices identify the Pod labels, namespaces or IP blocks, definite the network traffic flow (Ingress, Egress), and the protocol/ports/ips involved – thus controlling allowed and disallowed communication.
There are good examples on the kubernetes website https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource
- Identify the Pod to Secure, such as the Pod with label
role=db. These should be as precise as possible. You may want to have more than one per your namespace.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: xyz
spec:
podSelector:
matchLabels:
role: db
Set a default deny policy, then add your allow policiesper https://spacelift.io/blog/kubernetes-network-policy- Add DNS UDP 53 to the Policy so you can dynamically lookup services in your cluster per https://snyk.io/blog/kubernetes-network-policy-best-practices/:
egress:
- to:
- namespaceSelector: {}
podSelector:
matchLabels:
dns.operator.openshift.io/daemonset-dns: default
ports:
- port: 53
protocol: UDPBe sure to capture all of your anticipated traffic. If you get really advanced, you’ll want to use the Editor Network Policy
Good luck…
Reference
Leave a Reply