Skip to main content

Network Policies

Cluster Network Policies

Kubernetes cluster is run with the profile: cis parameter, it will apply network policies to the kube-system, kube-public, and default namespaces and applies associated annotations.

Restrict network ingress traffic. See below:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-network-policy
spec:
  ingress:
  - from:
    - podSelector: {}
  podSelector: {}
  policyTypes:
  - Ingress

Policy applied to the kube-system namespace and allows for DNS traffic. See below:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-network-dns-policy
  namespace: kube-system
spec:
  ingress:
  - ports:
    - port: 53
      protocol: TCP
    - port: 53
      protocol: UDP
  podSelector:
    matchLabels:
  policyTypes:
  - Ingress

Policy applied to the kube-system namespace and allows ingress webhook. See below:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-network-ingress-webhook-policy
  namespace: kube-system
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: rke2-ingress-nginx
  ingress:
    - ports:
        - protocol: TCP
          port: webhook
  policyTypes:
    - Ingress

To view the network policies currently deployed on the system, run the below command:

kubectl get networkpolicies -A

Additional Network Policies

Kosmos Cluster Policies Enforcer will add the following deny network policy on a namespace creation event:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: kosmos-default-deny
  namespace: <new namespace>
spec:
  podSelector: {}
  ingress:
    - from:
        - podSelector: {}
  egress:
    - ports:
        - protocol: TCP
          port: 53
        - protocol: UDP
          port: 53
      to:
        - podSelector:
            matchLabels:
              k8s-app: kube-dns
          namespaceSelector: {}
    - to:
        - podSelector: {}
  policyTypes:
    - Ingress
    - Egress

This Kubernetes NetworkPolicy is designed to enforce strict network rules within a specified namespace. Let's break it down:

Metadata

  • name: kosmos-default-deny → The policy is named kosmos-default-deny.
  • namespace: <new namespace> → This policy applies to a specific namespace (replace <new namespace> with the actual namespace name).

Policy Behavior

This policy is restrictive and follows a default-deny model with specific allowances.

Pod Selector

  • podSelector: {} → This applies to all pods in the namespace because it does not specify any match criteria.

Ingress Rules

  • ingress:
      - from:
        - podSelector: {}
    • This allows ingress traffic only from pods within the same namespace (empty podSelector means all pods in the namespace).

Egress Rules

  • Allows DNS traffic

    • Allows TCP/UDP traffic on port 53 to pods labeled k8s-app: kube-dns, which typically handle DNS resolution.

  • Allows traffic within the namespace

    • The second egress rule permits outgoing traffic to any pod within the same namespace.

Policy Types

  • Ingress → Restricts incoming traffic based on defined rules.
  • Egress → Restricts outgoing traffic based on defined rules.

Summary

  • This is a default deny policy that blocks all traffic except:
    • Incoming traffic from within the namespace.
    • Outgoing traffic to DNS (kube-dns service) for name resolution.
    • Outgoing traffic to pods in the same namespace.

This policy isolates the namespace from external communication while still allowing internal pod-to-pod communication and DNS resolution. 🚀

Access to the Kube-API server

Access to the kube-api server can be granted inside a namespace by using the following basic CiliumNetworkPolicy :

kind: CiliumNetworkPolicy
apiVersion: cilium.io/v2
metadata:
  name: app-to-api-server-egress
spec:
  endpointSelector: {} # all pods in the given namespace are concerned
  egress:
    - toEntities:
        - kube-apiserver
    - toPorts:
        - ports:
            - port: "6443"
              protocol: TCP

Note: You can limit which pod are concerned in the namespace by specifying an endpointSelector.

Exemple of Network Policies

Ingress Policies (Incoming traffic)

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: application-allow-ingress # Incoming traffic also concern access from the outside through nginx ingresses
  namespace: <new namespace>
spec:
  podSelector: {}
  ingress:
    - ports:
        - protocol: TCP
          port: 80
  policyTypes:
    - Ingress

This Kubernetes NetworkPolicy is designed to enforce network rules on incoming traffic within a specified namespace.

Metadata

  • name: application-allow-ingress → The policy is named application-allow-ingress.
  • namespace: <new namespace> → This policy applies to a specific namespace (replace <new namespace> with the actual namespace name).

Policy Behavior

This policy allow specific rules to forward or drop incoming traffic.

Pod Selector

  • podSelector: {} → This applies to all pods in the namespace because it does not specify any match criteria.
    • If you wanted to target specific pods, you would use labels (eg: matchLabels: {app: my-app}).

Ingress Rules

  • ingress:
      - ports:
          - protocol: TCP
            port: 80
    • ports:
      • Defines the allowed ports and protocols for ingress traffic.
      • In this case, it is allowing incoming traffic that uses the TCP protocol on port 80 (the standard HTTP port). This means any traffic trying to reach port 80 on the pods is allowed.

Policy Types

  • Ingress → Restricts incoming traffic based on defined rules.

Summary

This policy allows incoming TCP traffic on port 80 to all pods in the namespace. The key thing to note here is that there is no egress rule, so outgoing traffic from the pods is not affected by this policy. Without any other network policies, this policy would allow any external source (from within or outside the Kubernetes cluster) to access port 80 on the pods.

Egress Policies (Outgoing traffic)

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
    name: oidc-allow-egress
    namespace: <new namespace>
spec:
    podSelector: {}
    egress:
        - ports:
              - protocol: TCP
                port: 443
              - protocol: TCP
                port: 80
          to:
              - namespaceSelector:
                    matchLabels:
                        kubernetes.io/metadata.name: keycloak-namespace
    policyTypes:
        - Egress

This Kubernetes NetworkPolicy is designed to enforce network rules on outgoing traffic from a specified namespace.

Metadata

  • name: oidc-allow-egress → The policy is named oidc-allow-egress.
  • namespace: <new namespace> → This policy applies to a specific namespace (replace <new namespace> with the actual namespace name).

Policy Behavior

This policy allow specific rules to forward or drop outgoing traffic.

Pod Selector

  • podSelector: {} → This applies to all pods in the namespace because it does not specify any match criteria.
    • If you wanted to target specific pods, you would use labels (eg: matchLabels: {app: my-app}).

Egress Rules

  • egress:
    - ports:
        - protocol: TCP
          port: 443
        - protocol: TCP
          port: 80
      to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: keycloak-namespace
    • ports:
      • Specifies the allowed outgoing traffic ports and protocols. In this case:
        • TCP traffic is allowed on port 443 (commonly used for HTTPS).
        • TCP traffic is also allowed on port 80 (commonly used for HTTP).
      • This means that pods covered by this policy are allowed to initiate outgoing connections to TCP port 443 (HTTPS) and TCP port 80 (HTTP).
    • to:
      • Specifies the destination to which the traffic is allowed to flow. The namespaceSelector restricts the allowed destinations to only those in a namespace with the label kubernetes.io/metadata.name: keycloak-namespace.
      • This means that the egress traffic from the selected pods can only be sent to pods within the namespace labeled keycloak-namespace.
      • The traffic will be allowed to any pod in the keycloak-namespace as long as it is destined for port 443 or port 80.

Policy Types

  • Egress → Restricts outgoing traffic based on defined rules.

Summary

This policy allows egress traffic (outgoing traffic) from all pods in the namespace (due to the empty podSelector) to only the keycloak-namespace namespace. The allowed traffic is TCP traffic on ports 443 and 80. This would be to access both HTTP & HTTPS port of Keycloak depending on your application needs. Traffic is restricted to only the keycloak-namespace namespace. This means that even if other namespaces or services are available in the cluster, the pods in this namespace will only be able to send traffic to the keycloak-namespace namespace on the specified ports.

Helper (Adding/Open network policy for component)

See troubleshooting network policy