Difference between revisions of "K8s network policy"
Jump to navigation
Jump to search
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | # Examples | ||
+ | |||
+ | ## Example of Wordpress with Egress Isolation | ||
+ | |||
+ | ### egress--dns.yaml | ||
+ | ``` | ||
+ | --- | ||
+ | apiVersion: networking.k8s.io/v1 | ||
+ | kind: NetworkPolicy | ||
+ | metadata: | ||
+ | name: egress-dns | ||
+ | spec: | ||
+ | podSelector: {} | ||
+ | policyTypes: | ||
+ | - Egress | ||
+ | egress: | ||
+ | - to: | ||
+ | - namespaceSelector: | ||
+ | matchLabels: | ||
+ | kubernetes.io/metadata.name: kube-system | ||
+ | podSelector: | ||
+ | matchLabels: | ||
+ | k8s-app: kube-dns | ||
+ | ports: | ||
+ | - protocol: TCP | ||
+ | port: 53 | ||
+ | - protocol: UDP | ||
+ | port: 53 | ||
+ | ``` | ||
+ | |||
+ | ### egress--internet-http-https.yaml | ||
+ | ``` | ||
+ | --- | ||
+ | apiVersion: networking.k8s.io/v1 | ||
+ | kind: NetworkPolicy | ||
+ | metadata: | ||
+ | name: egress-internet-http-https | ||
+ | spec: | ||
+ | podSelector: {} | ||
+ | policyTypes: | ||
+ | - Egress | ||
+ | egress: | ||
+ | - to: | ||
+ | - ipBlock: | ||
+ | cidr: 0.0.0.0/0 | ||
+ | except: | ||
+ | - 10.0.0.0/8 | ||
+ | - 192.168.0.0/16 | ||
+ | - 172.16.0.0/20 | ||
+ | ports: | ||
+ | - protocol: TCP | ||
+ | port: 443 | ||
+ | - protocol: TCP | ||
+ | port: 80 | ||
+ | |||
+ | ``` | ||
+ | |||
+ | ### egress--wordpress-to-mariadb.yaml | ||
+ | ``` | ||
+ | apiVersion: networking.k8s.io/v1 | ||
+ | kind: NetworkPolicy | ||
+ | metadata: | ||
+ | name: egress--wordpress-to-mariadb | ||
+ | spec: | ||
+ | policyTypes: | ||
+ | - Egress | ||
+ | podSelector: | ||
+ | matchLabels: | ||
+ | app.kubernetes.io/name: wordpress | ||
+ | egress: | ||
+ | - to: | ||
+ | - namespaceSelector: {} | ||
+ | podSelector: | ||
+ | matchLabels: | ||
+ | app.kubernetes.io/name: mariadb | ||
+ | ports: | ||
+ | - protocol: TCP | ||
+ | port: 3306 | ||
+ | ``` | ||
+ | |||
+ | ### egress--email-submission.yaml | ||
+ | ``` | ||
+ | --- | ||
+ | apiVersion: networking.k8s.io/v1 | ||
+ | kind: NetworkPolicy | ||
+ | metadata: | ||
+ | name: egress--email-submission | ||
+ | spec: | ||
+ | podSelector: {} | ||
+ | policyTypes: | ||
+ | - Egress | ||
+ | egress: | ||
+ | - to: | ||
+ | - ipBlock: | ||
+ | cidr: ${Your SMTP Submission IP Address} | ||
+ | ports: | ||
+ | - protocol: TCP | ||
+ | port: 587 | ||
+ | ``` | ||
+ | |||
+ | ### Apply | ||
+ | ``` | ||
+ | kubectl apply -f ../yaml/egress--dns.yaml -f ../yaml/egress--internet-http-https.yaml -f ../yaml/egress--wordpress-to-mariadb.yaml -f ../yaml/egress--email-submission.yaml | ||
+ | ``` | ||
+ | |||
+ | |||
+ | # Internet Only | ||
+ | - https://stackoverflow.com/questions/57789969/kubernetes-networkpolicy-allow-external-traffic-to-internet-only | ||
+ | |||
+ | # Guide | ||
+ | - https://snyk.io/blog/kubernetes-network-policy-best-practices/ | ||
+ | |||
+ | # Mote | ||
+ | |||
https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces/ | https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces/ | ||
Line 49: | Line 163: | ||
spec: | spec: | ||
podSelector: {} | podSelector: {} | ||
+ | policyTypes: | ||
+ | - Egress | ||
+ | # - Ingress | ||
egress: | egress: | ||
- to: | - to: | ||
- namespaceSelector: | - namespaceSelector: | ||
matchLabels: | matchLabels: | ||
− | + | kubernetes.io/metadata.name: kube-system | |
podSelector: | podSelector: | ||
matchLabels: | matchLabels: | ||
Line 62: | Line 179: | ||
- protocol: UDP | - protocol: UDP | ||
port: 53 | port: 53 | ||
− | |||
− | |||
``` | ``` | ||
Latest revision as of 20:01, 8 July 2023
Examples
Example of Wordpress with Egress Isolation
egress--dns.yaml
--- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: egress-dns spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: TCP port: 53 - protocol: UDP port: 53
egress--internet-http-https.yaml
--- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: egress-internet-http-https spec: podSelector: {} policyTypes: - Egress egress: - to: - ipBlock: cidr: 0.0.0.0/0 except: - 10.0.0.0/8 - 192.168.0.0/16 - 172.16.0.0/20 ports: - protocol: TCP port: 443 - protocol: TCP port: 80
egress--wordpress-to-mariadb.yaml
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: egress--wordpress-to-mariadb spec: policyTypes: - Egress podSelector: matchLabels: app.kubernetes.io/name: wordpress egress: - to: - namespaceSelector: {} podSelector: matchLabels: app.kubernetes.io/name: mariadb ports: - protocol: TCP port: 3306
egress--email-submission.yaml
--- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: egress--email-submission spec: podSelector: {} policyTypes: - Egress egress: - to: - ipBlock: cidr: ${Your SMTP Submission IP Address} ports: - protocol: TCP port: 587
Apply
kubectl apply -f ../yaml/egress--dns.yaml -f ../yaml/egress--internet-http-https.yaml -f ../yaml/egress--wordpress-to-mariadb.yaml -f ../yaml/egress--email-submission.yaml
Internet Only
Guide
Mote
https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces/
https://kubernetes.io/docs/concepts/services-networking/network-policies/
https://editor.networkpolicy.io/?id=u7ZyunLd9YSsf9Da
https://cloud.redhat.com/blog/guide-to-kubernetes-egress-network-policies
k8s core DNS example egress
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: foo spec: podSelector: matchLabels: run: nginx policyTypes: - Egress egress: - to: - ipBlock: cidr: 192.168.0.0/16 ports: - protocol: TCP port: 80 endPort: 81 - to: - namespaceSelector: {} podSelector: matchLabels: k8s-app: kube-dns ports: - port: 53 protocol: UDP - port: 53 protocol: TCP
Only k8s dns
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all-egress spec: podSelector: {} policyTypes: - Egress # - Ingress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system podSelector: matchLabels: k8s-app: kube-dns ports: - protocol: TCP port: 53 - protocol: UDP port: 53
Internet
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: internet-egress spec: podSelector: matchLabels: networking/allow-internet-egress: "true" egress: - {} policyTypes: - Egress