Shulou(Shulou.com)06/01 Report--

Click to download the document to view all relevant links to this article https://tungstenfabric.org.cn/assets/uploads/files/tf-ceg-case4.pdf

In most production environments, network access control needs to be implemented. Kubernetes provides a way to describe how Pod groups should communicate by using NetworkPolicy resources.

As with most things in Kubernetes, for network policies to work, you need a Kubernetes CNI plug-in that supports them.

Working with scen

In almost all environments, it is a good idea to establish clear rules for the components that the application needs to communicate. The Kubernetes network policy specification is a direct approach that allows you to integrate NetworkPolicy directly with the application manifest.

The way NetworkPolicy defines resources allows you to specify exactly which network traffic is allowed and which is not, while using podSelector definitions to handle the dynamic properties of applications running on Kubernetes.

This means that your policy can target a single Pod or Pod group, thus "narrowing" the security scope to the size of the Pod.

The combination of strictly defined network policies and default-deny configuration can avoid the trouble caused by malicious application intrusion, and / or misbehavior, or misconfiguration. For example, an application component may have stranded cache DNS entries or incorrect configuration parameters, causing it to communicate with the wrong backend. Or the application may be compromised and used as a springboard to perform reconnaissance, attempt horizontal penetration, or simply use Pod's access to Kubernetes API to start some cryptocurrency mining Pod to steal your computing resources.

Use network policies to secure the sample application

The topic of network policy design is much larger than the space allowed in this guide. In this example, we will do the following:

Create a default-deny Ingress policy for our default namespace. This means that all incoming Pods connections within the namespace must be explicitly allowed; create an Ingress NetworkPolicy object for each sample application component, allowing only those objects that we have identified. Step 1: identify which components should be able to communicate with each other

First, we need to remind ourselves of how the various components of the application should communicate. To do this, we will return to the application diagram we saw in the introduction:

From this figure, you can see:

The outside world needs to reach TCP ports 80-(1) and (2) of yelb-ui. Yelb-ui needs to reach TCP ports of yelb-appserver. 4567yelb-appserver, in turn, needs to reach TCP port 5432 of yelb-db, and.. TCP port 6379 for yelb-cache. Step 2: how to identify components?

Keep in mind that NetworkPolicy resources use selectors to identify which Pod the policy applies to and what is the source and destination of the traffic that the policy will control.

In this demonstration, we will use the podSelectror method, so we need to get a list of tags applied to the application Pod. Let's look at the listing of the cnawebapp-loadbalancer.yaml sample application and collect the tags:

Now we are ready to write our strategy.

When deployed, these policies control communication between application components in the following ways:

Step 3: "default-deny" strategy

Make sure you are on the sandbox control node, logged in as root, and in the correct directory:

# confirm that you are a root account

Whoami | grep root | | sudo-s

# switch to inventory directory

Cd / home/centos/yelb/deployments/platformdeployment/Kubernetes/yaml

In this step, we will create a policy that will block all network traffic that is not explicitly allowed. In this demonstration, we will limit only Ingress traffic; but in fact, you can also control Egress traffic (but be aware that this may block DNS queries! ):

Cat > yelb-policy.yaml yelb-policy.yaml yelb-policy.yaml

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.