[CKS] Cluster Setup - NetworkPolicies

Cluster Setup (10%)

 - Use Network security policies to restrict cluster level access

 - Use CIS benchmark to review the security configuration of Kubernetes components (etcd, kubelet, kubedns, kubeapi)

 - Properly set up Ingress objects with security control

 - Protect node metadata and endpoints

 - Minimize use of, and access to, GUI elements

 - Verify platform binaries before deploying

 

NetworkPolicy

• NetworkPolicy는 Pod에서 Network의 접근을 허용하거나, 막을 때 사용함
• Kubernetes에서는 한개의 Pod가 노출되면, Pod 내부의 Network를 통해 다른 Pod에 접속할 수 없음.
• NetworkPolicy는 namespace별로 여러 개 생성할 수 있으며, 상반되는 룰이라도 union 되는 형태로 동작
  • 예를들어 all deny룰과, 특정 포트에대한 ingress허용 룰이 동시에 존재할때, ingress 허용 룰이 동작함.
• 참고 : https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-policies

Network Policies

 

NetworkPolicy 예시

Default deny all

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

 

Targeting a ragne of ports

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: multi-port
  namespace: multi
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 10.0.0.0/24
      ports:
        - protocol: TCP
          port: 32000
          endPort: 32750

 

Targeting multiple namespaces by label

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: egress-ns
spec:
  podSelector:
    matchLabels:
      app: myapp
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchExpressions:
        - key: ns
          operator: In
          values: ["frontend", "backend"]