K8s – Question24

Use context: kubectl config use-context k8s-c1-H

There was a security incident where an intruder was able to access the whole cluster from a single hacked backend Pod.

To prevent this create a NetworkPolicy called np-backend in Namespace project-snake. It should allow the backend-* Pods only to:

  • connect to db1-* Pods on port 1111
  • connect to db2-* Pods on port 2222

Use the app label of Pods in your policy.

After implementation, connections from backend-* Pods to vault-* Pods on port 3333 should for example no longer work.

Implementing Network Policies in Kubernetes: Securing Egress Traffic

Network policies in Kubernetes provide a way to control the communication between Pods. By default, all Pods in a Kubernetes cluster can communicate with each other. However, as your application grows, you may need to restrict this communication to improve security. In this guide, we’ll create a NetworkPolicy to restrict outgoing traffic from a backend Pod to only specific database Pods.

Step 1: Understanding the Current Pod Communication

Before implementing a NetworkPolicy, it’s important to understand the current state of communication between Pods. Let’s first inspect the existing Pods and their labels in the project-snake namespace:

Example output:

Next, we’ll test the current connections from the backend Pod:

All connections are currently unrestricted, which we can confirm from the outputs:

Step 2: Creating the NetworkPolicy

Now, we’ll create a NetworkPolicy to restrict the backend Pod’s egress traffic so that it can only communicate with db1 on port 1111 and db2 on port 2222.

First, create a YAML file for the NetworkPolicy:

Edit the file as follows:

This NetworkPolicy allows egress traffic from the backend Pod only to the db1 and db2 Pods on specific ports. This ensures that the backend Pod cannot communicate with any other services, including the vault service.

Apply the NetworkPolicy:

Step 3: Testing the NetworkPolicy

With the NetworkPolicy in place, let’s test the communication again from the backend Pod:

The expected results should be:

The backend Pod can still communicate with the db1 and db2 Pods on the allowed ports, but the connection to the vault service is now blocked, as expected.

Step 4: Avoiding Common Mistakes

It’s important to carefully structure your NetworkPolicy rules to avoid unintended traffic. For example, the following NetworkPolicy would still allow communication to db2 on port 1111, which is not desired:

This policy applies OR logic to pods and ports within a single rule, leading to unintended behavior. Always ensure each rule in your NetworkPolicy is well-defined with specific conditions.

Conclusion

NetworkPolicies are a powerful way to control communication in your Kubernetes cluster, enhancing security by restricting traffic between Pods. By carefully crafting and testing your policies, you can ensure that only the necessary communication paths are open, minimizing the attack surface of your applications.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *