UNCLASSIFIED - NO CUI

Skip to content

Create Network Policies

  • Include default deny-ingress to namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: XXXX
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Ingress

Since we don't have a mechanism to restrict communication to just the Kubernetes API, we can limit egress to just pods within the cluster:

  • Include default deny-egress to outside the cluster
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-external-egress
  namespace: XXXX
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector: {}
  • Allow traffic to/from istio. Can refine this to just ingress from the particular gateway after
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-istiod-egress
  namespace: {{ .Release.Namespace }}
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/name: istio-controlplane
      podSelector:
        matchLabels:
          app: istiod
    ports:
    - port: 15012
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-istio-ingressgateway
  namespace: {{ .Release.Namespace }}
spec:
  podSelector: {}
  policyTypes:
    - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/name: istio-controlplane
      podSelector:
        matchLabels:
          {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}}
{{- end }}
Edited by Sumathi Rajendran

UNCLASSIFIED - NO CUI