UNCLASSIFIED - NO CUI

Skip to content

Create Network Policies for Fortify

  • Include default deny-ingress to namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: XXXX
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Ingress

Since we don't have a mechanism to restrict communication to just the Kubernetes API, we can limit egress to just pods within the cluster:

  • Include default deny-egress to outside the cluster
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-external-egress
  namespace: XXXX
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector: {}
  • Allow scraping from Monitoring (if applicable)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-scraping
  namespace: XXXX
spec:
  ingress:
  - from:
    - namespaceSelector: {} # all namespaces for now
    ports:
    - port: PROMETHEUS_PORT
      protocol: TCP
  podSelector: {} # all pods
  policyTypes:
  - Ingress
  • Allow traffic to/from istio.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-istiod-egress
  namespace: {{ .Release.Namespace }}
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/name: istio-controlplane
      podSelector:
        matchLabels:
          app: istiod
    ports:
    - port: 15012
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-istio-ingressgateway
  namespace: {{ .Release.Namespace }}
spec:
  podSelector: {}
  policyTypes:
    - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/name: istio-controlplane
      podSelector:
        matchLabels:
          {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}}
{{- end }}
  • Allow egress traffic to tempo
  • Allow traffic to external database when configured with one. This might not be easy with NetworkPolicies and we might need to use Istio for this. For now, if there's an external database:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all-egress
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          # ONLY Block requests to AWS metadata IP
          except:
          - 169.254.169.254/32
Edited by Alozie Obuh

UNCLASSIFIED - NO CUI