Difference between revisions of "K8s network policy"

From UVOO Tech Wiki
Jump to navigation Jump to search
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
# Examples
 +
 +
## Example of Wordpress with Egress Isolation
 +
 +
### egress--dns.yaml
 +
```
 +
---
 +
apiVersion: networking.k8s.io/v1
 +
kind: NetworkPolicy
 +
metadata:
 +
  name: egress-dns
 +
spec:
 +
  podSelector: {}
 +
  policyTypes:
 +
    - Egress
 +
  egress:
 +
  - to:
 +
    - namespaceSelector:
 +
        matchLabels:
 +
          kubernetes.io/metadata.name: kube-system
 +
      podSelector:
 +
        matchLabels:
 +
          k8s-app: kube-dns
 +
    ports:
 +
    - protocol: TCP
 +
      port: 53
 +
    - protocol: UDP
 +
      port: 53
 +
```
 +
 +
### egress--internet-http-https.yaml
 +
```
 +
---
 +
apiVersion: networking.k8s.io/v1
 +
kind: NetworkPolicy
 +
metadata:
 +
  name: egress-internet-http-https
 +
spec:
 +
  podSelector: {}
 +
  policyTypes:
 +
    - Egress
 +
  egress:
 +
    - to:
 +
        - ipBlock:
 +
            cidr: 0.0.0.0/0
 +
            except:
 +
              - 10.0.0.0/8
 +
              - 192.168.0.0/16
 +
              - 172.16.0.0/20
 +
      ports:
 +
        - protocol: TCP
 +
          port: 443
 +
        - protocol: TCP
 +
          port: 80
 +
 +
```
 +
 +
### egress--wordpress-to-mariadb.yaml
 +
```
 +
apiVersion: networking.k8s.io/v1
 +
kind: NetworkPolicy
 +
metadata:
 +
  name: egress--wordpress-to-mariadb
 +
spec:
 +
  policyTypes:
 +
    - Egress
 +
  podSelector:
 +
    matchLabels:
 +
      app.kubernetes.io/name: wordpress
 +
  egress:
 +
    - to:
 +
      - namespaceSelector: {}
 +
        podSelector:
 +
          matchLabels:
 +
            app.kubernetes.io/name: mariadb
 +
      ports:
 +
        - protocol: TCP
 +
          port: 3306
 +
```
 +
 +
### egress--email-submission.yaml
 +
```
 +
---
 +
apiVersion: networking.k8s.io/v1
 +
kind: NetworkPolicy
 +
metadata:
 +
  name: egress--email-submission
 +
spec:
 +
  podSelector: {}
 +
  policyTypes:
 +
    - Egress
 +
  egress:
 +
    - to:
 +
        - ipBlock:
 +
            cidr: ${Your SMTP Submission IP Address}
 +
      ports:
 +
        - protocol: TCP
 +
          port: 587
 +
```
 +
 +
### Apply
 +
```
 +
kubectl apply -f ../yaml/egress--dns.yaml -f ../yaml/egress--internet-http-https.yaml -f ../yaml/egress--wordpress-to-mariadb.yaml -f ../yaml/egress--email-submission.yaml
 +
```
 +
 +
 +
# Internet Only
 +
- https://stackoverflow.com/questions/57789969/kubernetes-networkpolicy-allow-external-traffic-to-internet-only
 +
 +
# Guide
 +
- https://snyk.io/blog/kubernetes-network-policy-best-practices/
 +
 +
# Mote
 +
 
https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces/
 
https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces/
  
Line 49: Line 163:
 
spec:
 
spec:
 
   podSelector: {}
 
   podSelector: {}
 +
  policyTypes:
 +
    - Egress
 +
    # - Ingress
 
   egress:
 
   egress:
 
   - to:
 
   - to:
 
     - namespaceSelector:
 
     - namespaceSelector:
 
         matchLabels:
 
         matchLabels:
           networking/namespace: kube-system
+
           kubernetes.io/metadata.name: kube-system
 
       podSelector:
 
       podSelector:
 
         matchLabels:
 
         matchLabels:
Line 62: Line 179:
 
     - protocol: UDP
 
     - protocol: UDP
 
       port: 53
 
       port: 53
  policyTypes:
 
  - Egress
 
 
```
 
```
  

Latest revision as of 20:01, 8 July 2023

Examples

Example of Wordpress with Egress Isolation

egress--dns.yaml

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: egress-dns
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

egress--internet-http-https.yaml

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: egress-internet-http-https
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
              - 10.0.0.0/8
              - 192.168.0.0/16
              - 172.16.0.0/20
      ports:
        - protocol: TCP
          port: 443
        - protocol: TCP
          port: 80

egress--wordpress-to-mariadb.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: egress--wordpress-to-mariadb
spec:
  policyTypes:
    - Egress
  podSelector:
    matchLabels:
      app.kubernetes.io/name: wordpress
  egress:
    - to:
       - namespaceSelector: {}
         podSelector:
           matchLabels:
             app.kubernetes.io/name: mariadb
      ports:
        - protocol: TCP
          port: 3306

egress--email-submission.yaml

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: egress--email-submission
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: ${Your SMTP Submission IP Address}
      ports:
        - protocol: TCP
          port: 587

Apply

kubectl apply -f ../yaml/egress--dns.yaml -f ../yaml/egress--internet-http-https.yaml -f ../yaml/egress--wordpress-to-mariadb.yaml -f ../yaml/egress--email-submission.yaml

Internet Only

Guide

Mote

https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces/

https://kubernetes.io/docs/concepts/services-networking/network-policies/

https://editor.networkpolicy.io/?id=u7ZyunLd9YSsf9Da

https://cloud.redhat.com/blog/guide-to-kubernetes-egress-network-policies

k8s core DNS example egress

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: foo
spec:
  podSelector:
    matchLabels:
      run: nginx
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 192.168.0.0/16
      ports:
        - protocol: TCP
          port: 80
          endPort: 81
    - to:
        - namespaceSelector: {}
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP

Only k8s dns

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all-egress
spec:
  podSelector: {}
  policyTypes:
    - Egress
    # - Ingress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

Internet

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: internet-egress
spec:
  podSelector:
    matchLabels:
      networking/allow-internet-egress: "true"
  egress:
  - {}
  policyTypes:
  - Egress