UNCLASSIFIED - NO CUI

Skip to content

Create Network Policies for Harbor

  • Include default deny-ingress to namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: XXXX
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Ingress

Since we don't have a mechanism to restrict communication to just the Kubernetes API, we can limit egress to just pods within the cluster:

  • Include default deny-egress to outside the cluster
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-external-egress
  namespace: XXXX
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector: {}
  • Allow scraping from Monitoring (if applicable)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-scraping
  namespace: XXXX
spec:
  ingress:
  - from:
    - namespaceSelector: {} # all namespaces for now
    ports:
    - port: PROMETHEUS_PORT
      protocol: TCP
  podSelector: {} # all pods
  policyTypes:
  - Ingress
  • Allow traffic to/from istio. Can refine this to just ingress from the particular gateway after &73
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-istiod-egress
  namespace: {{ .Release.Namespace }}
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/name: istio-controlplane
      podSelector:
        matchLabels:
          app: istiod
    ports:
    - port: 15012
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-istio-ingressgateway
  namespace: {{ .Release.Namespace }}
spec:
  podSelector: {}
  policyTypes:
    - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/name: istio-controlplane
      podSelector:
        matchLabels:
          {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}}
{{- end }}
  • Allow egress traffic to tempo
  • Allow traffic to external database when configured with one. This might not be easy with NetworkPolicies and we might need to use Istio for this once &76 gets implemented. For now, if there's an external database:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all-egress
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          # ONLY Block requests to AWS metadata IP
          except:
          - 169.254.169.254/32
Edited by Alozie Obuh

UNCLASSIFIED - NO CUI