AllControls, ArmoBest, NSA
Network policies control traffic flow between Pods, namespaces, and external IP addresses. By default, no network policies are applied to Pods or namespaces, resulting in unrestricted ingress and egress traffic within the Pod network. Pods become isolated through a network policy that applies to the Pod or the Pod’s namespace. Once a Pod is selected in a network policy, it rejects any connections that are not specifically allowed by any applicable policy object.Administrators should use a default policy selecting all Pods to deny all ingress and egress traffic and ensure any unselected Pods are isolated. Additional policies could then relax these restrictions for permissible connections.
CronJob, DaemonSet, Deployment, Job, NetworkPolicy, Pod, ReplicaSet, StatefulSet
Check for each Pod whether there is an ingress and egress policy defined (whether using Pod or Namespace).
Define a network policy that restricts ingress and egress connections.
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: shop spec: podSelector: matchLabels: app: adservice #we match it to the workload labels policyTypes: - Ingress - Egress ingress: #we look for this - from: - ipBlock: cidr: 172.17.0.0/16 except: - 172.17.1.0/24 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 6379 egress: - to: - ipBlock: cidr: 10.0.0.0/24 ports: - protocol: TCP port: 5978
Updated 15 days ago