Home > front end >  Should we keep all egress of a pod in a single k8s NetworkPolicy?
Should we keep all egress of a pod in a single k8s NetworkPolicy?

Time:12-10

I have a pod which emits metrics and it has multiple egresses associated like -

  1. authentication endpoint (tcp/443)
  2. dns (udp/53)
  3. instance metadata (tcp/80)
  4. other pods (all)

What would be a good practice to define the policies for all of the above -

1 - all egresses in a single NetworkPolicy

Example (Same policy with all egress)

apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: metrics-emitter-egress-to-multiple-points
    spec:
      podSelector:
        matchLabels:
          name: metrics-emitter
      policyTypes:
      - Egress
      egress:
      - to:
        - ipBlock:
            cidr: 0.0.0.0/0
        ports:
        - protocol: TCP
          port: 443
      - to:
        ports:
        - protocol: UDP
          port: 53
      - to:
        - ipBlock:
            cidr: 0.0.0.0/0
        ports:
        - protocol: TCP
          port: 9443
    

OR

2 - different NetworkPolicy for each of the egress

Example (Different NetPol for each) -

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: metrics-emitter-egress-to-auth-endpoint
spec:
  podSelector:
    matchLabels:
      name: metrics-emitter
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
    ports:
    - protocol: TCP
      port: 443

 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: metrics-emitter-egress-to-dns
 spec:
   podSelector:
     matchLabels:
       name: metrics-emitter
   policyTypes:
   - Egress
   egress:
   - to:
     ports:
     - protocol: UDP
       port: 53

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: metrics-emitter-egress-to-api-server
spec:
  podSelector:
    matchLabels:
      name: metrics-emitter
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
    ports:
    - protocol: TCP
      port: 9443

CodePudding user response:

Would be better to manage all policy in single otherwise you will have to go through tons of similar line.

Also easily would be helpful to mitigate any issue if a similar policy is being added or overwriting happens.

CodePudding user response:

Network policies can be used to specify both allowed ingress to pods and allowed egress from pods. These specifications work as one would expect: traffic to a pod from an external network endpoint outside the cluster is allowed if ingress from that endpoint is allowed to the pod.

Its better to define all the policies in a single network policy.

In the event of an overwriting or the addition of a comparable policy, it is reducing risk of loss from the occurrence of any undesirable events

  • Related