Kubernetes Network Security

CozyFex included in kubernetes k8s orchestration

2021-05-28 510 words 3 minutes

Contents

Network Policy Commands

Network Policy List

1
kubectl get networkplicy

Network Policy Detail

1
kubectl describe networkpolicy <networkpolicy-name>

YAML

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: internal-policy
spec:
  podSelector:
    matchLabels:
      name: internal
  policyTypes:
    - Egress
  egress:
    - to:
        - podSelector:
            matchLabels:
              name: payroll
      ports:
        - protocol: TCP
          port: 8080
    - to:
        - podSelector:
            matchLabels:
              name: mysql
      ports:
        - protocol: TCP
          port: 3306

System Diagram

/kubernetes-network-security/kubernetes-network-security.png

Network Policy

/kubernetes-network-security/kubernetes-network-security-policy-sample.png

Ingress `podSelector`

/kubernetes-network-security/kubernetes-network-security-pod-selector.png

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: db-policy
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              name: api-pod
      ports:
        - protocol: TCP
          port: 3306

Ingress `namespaceSelector`

/kubernetes-network-security/kubernetes-network-security-namespace-selector.png

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: db-policy
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: prod
      ports:
        - protocol: TCP
          port: 3306

Ingress `ipBlock`

/kubernetes-network-security/kubernetes-network-security-ip-block.png

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: db-policy
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Ingress
  ingress:
    - from:
        - ipBlock:
            cidr: 192.168.5.10/32
      ports:
        - protocol: TCP
          port: 3306

Ingress `podSelector` AND `namespaceSelector`

/kubernetes-network-security/kubernetes-network-security-pod-and-namespace.png

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: db-policy
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              name: api-pod
          namespaceSelector:
            matchLabels:
              name: prod
      ports:
        - protocol: TCP
          port: 3306

Ingress `podSelector` OR `namespaceSelector`

/kubernetes-network-security/kubernetes-network-security-pod-or-namespace.png

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: db-policy
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              name: api-pod
        - namespaceSelector:
            matchLabels:
              name: prod
      ports:
        - protocol: TCP
          port: 3306

Ingress (`podSelector` AND `namespaceSelector`) OR `ipBlock`

/kubernetes-network-security/kubernetes-network-security-pod-and-namespace-or-ipblock.png

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: db-policy
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              name: api-pod
          namespaceSelector:
            matchLabels:
              name: prod
        - ipBlock:
            cidr: 192.168.5.10/32
      ports:
        - protocol: TCP
          port: 3306

Ingress (`podSelector` AND `namespaceSelector`) OR `ipBlock` AND Egress `ipBlock`

/kubernetes-network-security/kubernetes-network-security-egress-ip-block.png

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: db-policy
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              name: api-pod
          namespaceSelector:
            matchLabels:
              name: prod
        - ipBlock:
            cidr: 192.168.5.10/32
      ports:
        - protocol: TCP
          port: 3306
  egress:
    - to:
        - ipBlock:
            cidr: 192.168.5.10/32
      ports:
        - protocol: TCP
          port: 80

Contents

Kubernetes Network Security

Network Policy Commands

Network Policy List

Network Policy Detail

YAML

System Diagram

Network Policy

Ingress podSelector

Ingress namespaceSelector

Ingress ipBlock

Ingress podSelector AND namespaceSelector

Ingress podSelector OR namespaceSelector

Ingress (podSelector AND namespaceSelector) OR ipBlock

Ingress (podSelector AND namespaceSelector) OR ipBlock AND Egress ipBlock

Ingress `podSelector`

Ingress `namespaceSelector`

Ingress `ipBlock`

Ingress `podSelector` AND `namespaceSelector`

Ingress `podSelector` OR `namespaceSelector`

Ingress (`podSelector` AND `namespaceSelector`) OR `ipBlock`

Ingress (`podSelector` AND `namespaceSelector`) OR `ipBlock` AND Egress `ipBlock`