kubernetes-network-policy-recipes icon indicating copy to clipboard operation
kubernetes-network-policy-recipes copied to clipboard

Published 20 hours ago verified publisher icon ahmetb

example for - allow egress only to public addresses

Open floge07 opened this issue 1 year ago • 1 comments

proposal to add an example for "allow egress only to public addresses".

In our use case, where we execute some user-configured rest calls, the service running those should not have access to internal Kubernetes endpoints. Took me a while of searching to end up with this policy, given that I'm not that knowledgeable about this topic. I think we can spare other people that, by including this as an example here (since this repo is linked in the official docs) And maybe someone notices a flaw in this.

spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: kube-system
        podSelector:
          matchLabels:
            k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          except:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16

Allows...

  1. DNS resolve requests
  2. All IPs except the IP ranges defined as private

floge07 avatar Sep 06 '23 12:09 floge07