Home > OS >  What is the network security policy for kubectl to work on Minikube?
What is the network security policy for kubectl to work on Minikube?

Time:09-24

I have started to implement NSPs for a project. We currently have the following NSPs defined as stated below. Next to a default deny all NSP.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: kubectl-policy
  namespace: ns-where-the-pod-lives
spec:
  podSelector:
    matchLabels:
      app: virtualdesktop
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector: {}
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: default
          podSelector: {}
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: ns-where-the-pod-lives
          podSelector: {}
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector: {}
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: ns-where-the-pod-lives
          podSelector: {}

But i cannot reach the control plane from a pod unless I provide an NSP which allows for using 0.0.0.0 (internet). What NSP do I need to allow the pod to reach EKS K8S control plane internally?

CodePudding user response:

Since you've applied a default deny-all netpol, you have to explicitly allow communication to the api-server.

First find out what the IP('s) of your kubernetes api service:

kubectl get endpoints --namespace default kubernetes
NAME         ENDPOINTS                                         AGE
kubernetes   172.24.4.2:8443,172.24.4.3:8443,172.24.4.4:8443   69d

You might have a different port than mine (8443)! Then just create the netpol that allows pods in the given namespace to communicate with the api-server, make sure to amend the IP's and the port if necessary.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-api-server
  namespace: XXX
spec:
  egress:
  - ports:
    - port: 8443
      protocol: TCP
    to:
    - ipBlock:
        cidr: 172.24.4.2/32
    - ipBlock:
        cidr: 172.24.4.3/32
    - ipBlock:
        cidr: 172.24.4.4/32
  podSelector: {}
  policyTypes:
  - Egress

If your desired pod has a accessible shell with some tools installed you could try out the connection with curl:

bash-4.4# curl -vvv 172.24.4.2:8443
* Rebuilt URL to: 172.24.4.2:8443/
*   Trying 172.24.4.2...
* TCP_NODELAY set
* Connected to 172.24.4.2 (172.24.4.2) port 8443 (#0)
> GET / HTTP/1.1
> Host: 172.24.4.2:8443
> User-Agent: curl/7.61.1
> Accept: */*

Page link:https//www.codepudding.com/os/554901.html

Prev:Kubernetes Deployment.yaml
Next:Troubleshooting EKS External-Dns IAM
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding