Create Network Policies for Fortify
-
Include default deny-ingress to namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: XXXX
spec:
podSelector:
matchLabels: {}
policyTypes:
- Ingress
Since we don't have a mechanism to restrict communication to just the Kubernetes API, we can limit egress to just pods within the cluster:
-
Include default deny-egress to outside the cluster
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-external-egress
namespace: XXXX
spec:
podSelector:
matchLabels: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector: {}
-
Allow scraping from Monitoring (if applicable)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-scraping
namespace: XXXX
spec:
ingress:
- from:
- namespaceSelector: {} # all namespaces for now
ports:
- port: PROMETHEUS_PORT
protocol: TCP
podSelector: {} # all pods
policyTypes:
- Ingress
-
Allow traffic to/from istio.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-istiod-egress
namespace: {{ .Release.Namespace }}
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
app.kubernetes.io/name: istio-controlplane
podSelector:
matchLabels:
app: istiod
ports:
- port: 15012
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-istio-ingressgateway
namespace: {{ .Release.Namespace }}
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
app.kubernetes.io/name: istio-controlplane
podSelector:
matchLabels:
{{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}}
{{- end }}
-
Allow egress traffic to tempo -
Allow traffic to external database when configured with one. This might not be easy with NetworkPolicies and we might need to use Istio for this. For now, if there's an external database:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-egress
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
# ONLY Block requests to AWS metadata IP
except:
- 169.254.169.254/32
Edited by Alozie Obuh