compliantkubernetes-apps
compliantkubernetes-apps copied to clipboard
elastisys
[Epic] Add NetworkPolicies for ck8s services
Is your feature request related to a problem? Please describe. We currently do not have any network policies for the services/apps we install in ck8s. It is important to have NetworkPolicies to limit the blast radius of a potential intrusion and to show our users that we take it seriously (especially since we recommend others to do this). By default, all pods can talk to all pods with no restriction.
Describe the solution you'd like I would like us to add network policies such that the pods we install can only communicate with the other pods/endpoints that they need to, both regarding ingress and egress traffic. The plan should be to have everything locked down by default and only allow the traffic we know is necessary.
This could be split into multiple subtasks, perhaps with a few apps/namespaces each.
Describe alternatives you've considered
- Continue to not have NetworkPolicies.
- Add simpler NetworkPolicies (like skipping to limit traffic within a namespace or just limiting traffic to/from outside the cluster)
Additional context NetworkPolicy editor that can be used: https://editor.cilium.io
Definition of done: This will be split into subtasks where each subtask cover a subset of compliant kubernetes apps. Each subtask will do the folowing in it's area:
- All pods are covered by a restrictive NetworkPolicy.
- All pods still run as expected.
- Documentation on how these were created. If possible (not required), visualize the network traffic.
- If Gatekeeper is added in service cluster, then add policy to enforce NetworkPolicies for all pods. See https://github.com/elastisys/compliantkubernetes-apps/issues/655
Subtasks:
- [x] https://github.com/elastisys/compliantkubernetes-apps/issues/1127
- [x] https://github.com/elastisys/compliantkubernetes-apps/issues/1128
- [x] https://github.com/elastisys/compliantkubernetes-apps/issues/1129
- [x] https://github.com/elastisys/compliantkubernetes-apps/issues/1130
- [x] https://github.com/elastisys/compliantkubernetes-apps/issues/1131
- [ ] https://github.com/elastisys/compliantkubernetes-apps/issues/1132
- [x] https://github.com/elastisys/compliantkubernetes-apps/issues/1133
- [x] https://github.com/elastisys/compliantkubernetes-apps/issues/1134
- [x] https://github.com/elastisys/compliantkubernetes-apps/issues/1135
The current state-of-practice seems to be that NetworkPolicies belong to the Helm Chart of the application they protect, with the values.yaml file specifying which inbound traffic is allowed. For inspiration, see:
This feels very natural to me: Just like SecurityGroups "belong" to the VMs their protect, NetworkPolicies "belong" to the application they protect.
In case NetworkPolicies are missing from a Helm Chart, prefer to upstream.
I would love to see this being implemented! When people wondered about the recent log4j problems, it would be so nice to just say "yeah, not a problem, because your Elasticsearch is unable to initiate network requests on its own". :smile:
Remember to make sure that backups and restore works as well. Also check that prometheus can scrape the exporters.