Question about Network policies. I would like to "lock down" all ingress / egres . . .

Kubernetes-Slack Discussions
#1

Stan Butler:
Question about Network policies. I would like to “lock down” all ingress / egress traffic to pods in a specific namespace like so:

---
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
  name: deny-all
  namespace: dev
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

I would then use another policy to allow only a few specific ports to the pods in that namespace:

---
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
  name: allowed-dev-ports
  namespace: dev
spec:
  podSelector:
    matchLabels:
      tier: web
  policyTypes:
  - Ingress
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.200.232.0/24      
    - ipBlock:
        cidr: 10.175.184.0/24      
    - ipBlock:
        cidr: 20.60.178.68/32      
  ingress:
  - from:
    - ipBlock:
        cidr: 10.175.184.0/24

Any thoughts on the best way to accomplish something like this?

#2

Stan Butler:
The allowed-dev-ports policy works perfectly until I add port numbers. DNS never resolves properly when I start filtering ports. I tried adding the entire TCP port range on the egress block like this:

---
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
  name: allowed-dev-ports
  namespace: dev
spec:
  podSelector:
    matchLabels:
      tier: web
  policyTypes:
  - Ingress
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.200.232.0/24      
    - ipBlock:
        cidr: 10.175.184.0/24      
    - ipBlock:
        cidr: 20.60.178.68/32      
    ports:
      - protocol: TCP
        port: 1 
        endPort: 65535

…but no it still can’t resolve DNS. Thoughts?

#3

Pavan Rangaraju:
did you try with UDP as well, ideally DNS is udp

#4

Stan Butler:
that was it! been staring at this too long.

#5

Stan Butler:
FYI: this is the final NetworkPolicy that works:

---
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
metadata:
  name: allowed-dev-ports
  namespace: dev
spec:
  podSelector:
    matchLabels:
      tier: web
  policyTypes:
  - Ingress
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.200.202.0/24      
    - ipBlock:
        cidr: 10.175.104.0/24      
    - ipBlock:
        cidr: 20.60.108.68/32      
    ports:
      - protocol: TCP
        port: 80     
      - protocol: UDP
        port: 53
      - protocol: TCP
        port: 443            
      - protocol: TCP
        port: 8443                                                          
  ingress:
  - from:
    - ipBlock:
        cidr: 10.175.104.0/24

Thanks again!

#6

unnivkn:
Hi @Stan Butler fyr:

Egress-And-DNS-2.PNG
Egress-And-DNS-2.PNG1329×800 46.6 KB

Egress-And-DNS-1.PNG
Egress-And-DNS-1.PNG1301×805 51.7 KB

#7

Stan Butler:
@unnivkn, if I am using ipBlock, I would need to include subnets where the k8 nodes are hosted as well as the DNS port, correct?

#8

unnivkn:
fyr:

image.png
image.png1035×830 41.7 KB