Professional Documents
Culture Documents
Guide To Kubernetes Ingress Network Policies - StackRox
Guide To Kubernetes Ingress Network Policies - StackRox
(/)
The container orchestrator war is over, and Kubernetes has won. With companies large and small
rapidly adopting the platform, security has emerged as an important concern – partly because of the
learning curve inherent in understanding any new infrastructure, and partly because of recently
2019-1002101-and-cve-2019-9946/).
Kubernetes brings another security dynamic to the table – its defaults are geared towards making it FEATURED POSTS
easy for users to get up and running quickly, as well as being backward compatible with earlier KubeCon 2020 Highlights
and Key Takeaways
releases of Kubernetes that lacked important security features ⧉. Consequently, many important
(/post/2020/11/kubecon-
Kubernetes con gurations are not secure by default ⧉. 2020-highlights-and-key-
takeaways/)
Nov 24, 2020
One important con guration that demands attention from a security perspective is the network
policies ⧉ feature. Network policies specify how groups of pods are allowed to communicate with CKS CNCF Announcement
and Exam Study Tips
each other and other network endpoints. You can think of them as the Kubernetes equivalent of a (/post/2020/11/cks-cncf-
announcement-and-exam-
rewall. study-tips/)
Nov 19, 2020
OpenShift Runtime
We lay out here a step-by-step guide on how to set up network policies. The network policy spec ⧉ is What is CNCF’s CKS Exam
and What is Covered?
intricate, and it can be di cult to understand and use correctly. In this guide, we provide (/post/2020/11/what-is-
cncf-certi ed-kubernetes-
recommendations that signi cantly improve security. Users can easily implement these
security-specialist-cks-
recommendations without needing to know the spec in detail. exam-and-what-is-
covered/)
Nov 12, 2020
practices kubelinter-an-open-
source-linter-for-
kubernetes/)
Download to learn how to secure the software
Oct 28, 2020
supply chain, and harden workloads and the
EKS vs GKE vs AKS -
underlying Kubernetes infrastructure
Evaluating Kubernetes in
the Cloud
(/post/2020/10/eks-vs-gke-
DOWNLOAD NOW vs-aks/)
Oct 01, 2020
policies mitigate/)
Oct 01, 2020
First things rst – use a network plugin that actually enforces network policies ⧉. Although Top 5 takeaways from the
Kubernetes always supports operations on the NetworkPolicy resource, simply creating the latest Kubernetes security
report (/post/2020/09/top-
resource without a plugin that implements it will have no e ect. Example plugins include Calico ⧉, 5-takeaways-from-the-
latest-kubernetes-security-
Cilium ⧉, Kube-router ⧉, Romana ⧉ and Weave Net ⧉. report/)
Sep 23, 2020
This tale, however, has an important twist: based on everything described so far, one would think
Protecting Kubernetes
that, if no network policies applied to a pod, then no connections to or from it would be permitted. Against MITRE ATT&CK:
Lateral Movement
The opposite, in fact, is true: if no network policies apply to a pod, then all network connections to (/post/2020/09/protecting-
against-kubernetes-
and from it are permitted (unless the connection is forbidden by a network policy applied to the threats-chapter-8-lateral-
movement/)
other peer in the connection.)
Sep 01, 2020
non-isolated pods. Although somewhat counter-intuitive, this behavior exists to make it easier to get Protecting Kubernetes
(/) Against MITRE ATT&CK:
a cluster up and running – a user who does not understand network policies can run their
Discovery
applications without having to create one. (/post/2020/08/protecting-
against-kubernetes-
threats-chapter-7-
Therefore, we recommend you start by applying a “default-deny-all” network policy. The e ect of the discovery/)
following policy speci cation is to isolate all pods, which means that only connections explicitly listed Aug 13, 2020
Protecting Kubernetes
Against MITRE ATT&CK:
Without such a policy, it is very easy to run into a scenario where you delete a network policy, hoping Credential Access
(/post/2020/08/protecting-
to forbid the connections listed in it, but nd that the result is that all connections to some pods against-kubernetes-
threats-chapter-6-
suddenly become permitted – including ones that weren’t allowed before. Such a scenario occurs credential-access/)
when the network policy you deleted was the only one that applied to a particular pod, which means Aug 05, 2020
that the deletion of the network policy caused the pod to become “non-isolated”. EKS vs GKE vs AKS - August
2020 Update
(/post/2020/08/eks-vs-gke-
Important Note: Since network policies are namespaced resources, you will need to create this
vs-aks-august-2020-
policy for each namespace. You can do so by running kubectl -n <namespace> create -f updates/)
Aug 04, 2020
<filename> for each namespace.
GKE Networking Best
Practices for Security and
need it for-security-and-
operation/)
Jul 29, 2020
With just the default-deny-all policy in place in every namespace, none of your pods will be able to
Protecting Kubernetes
talk to each other or receive tra c from the Internet. For most applications to work, you will need to Against MITRE ATT&CK:
allow some pods to receive tra c from outside sources. One convenient way to permit this setup Defense Evasion
(/post/2020/07/protecting-
would be to designate labels that are applied to those pods to which you want to allow access from against-kubernetes-
threats-chapter-5-defense-
the internet and to create network policies that target those labels. For example, the following evasion/)
network policy allows tra c from all (including external) sources for pods having the Jul 27, 2020
networking/allow-internet-access=true label (again, as in the previous section, you will have to GKE Security Best
Practices: Designing
create this for every namespace): Secure Clusters
(/post/2020/07/gke-
security-best-practices-
designing-secure-clusters/)
Jul 21, 2020
Protecting Kubernetes
Against MITRE ATT&CK:
Privilege Escalation
(/post/2020/07/protecting-
/
against-kubernetes-
Register for our next webcast - securing containers and Kubernetes with StackRox SAVE MY SEAT >
threats-chapter-4-
apiVersion: networking.k8s.io/v1 privilege-escalation/)
Jul 19, 2020
kind: NetworkPolicy
(/) metadata: Protecting Kubernetes
Against MITRE ATT&CK:
name: internet-access Persistence
spec: (/post/2020/07/protecting-
against-kubernetes-
podSelector: threats-chapter-3-
persistence/)
matchLabels:
Jul 14, 2020
networking/allow-internet-access: "true"
Protecting Kubernetes
policyTypes:
Against MITRE ATT&CK:
- Ingress Execution
(/post/2020/07/protecting-
ingress: against-kubernetes-
threats-chapter-2-
- {}
execution/)
Jul 02, 2020
Cryptojacking Attacks in
For a more locked-down set of policies, you would ideally want to specify more ne-grained CIDR
Kubernetes: How to Stop
blocks ⧉ as well as explicitly list out allowed ports and protocols ⧉. However, this policy provides a Them
(/post/2020/07/cryptojacking-
good starting point, with much greater security than the default. attacks-in-kubernetes-
how-to-stop-them/)
Jul 02, 2020
communication (/post/2020/06/eks-vs-gke-
vs-aks-july-2020-updates/)
Jun 26, 2020
After taking the above steps, you will also need to add network policies to allow pods to talk to each
Protecting Kubernetes
other. You have a few options for how to enable pod-to-pod communications, depending on your
Against MITRE ATT&CK:
situation: Initial Access
(/post/2020/06/protecting-
against-kubernetes-
If You Don’t Know Which Pods Need To Talk To Each threats-chapter-1-initial-
access/)
Mitigating CVE-2020-10749
In this case, a good starting point is to allow all pods in the same namespace to talk to each other in Kubernetes
Environments
and explicitly allow communication across namespaces, since that is usually more rare. You can use
(/post/2020/06/mitigating-
the following network policy to allow all pod-to-pod communication within a namespace: kubernetes-cve-2020-
10749/)
Jun 05, 2020
metadata:
Better Kubernetes Security
name: allow-db-access with Open Policy Agent
(OPA) - Part 1
spec:
(/post/2020/04/enhancing-
podSelector: kubernetes-security-with-
open-policy-agent-opa-
matchLabels: part-1/)
talk to pods in deployment B, you can create the following policy to allow that connection, after Azure Kubernetes (AKS)
Security Best Practices Part
replacing the labels with the labels of the speci c deployment:
4 of 4: Cluster
Maintenance
(/post/2020/03/azure-
kubernetes-aks-security-
apiVersion: networking.k8s.io/v1 best-practices-part-4-of-4/)
kind: NetworkPolicy Mar 09, 2020
deployment-b-pod-label-1-key: deployment-b-pod-label-1-value
Azure Kubernetes (AKS)
deployment-b-pod-label-2-key: deployment-b-pod-label-2-value Security Best Practices Part
2 of 4: Networking
policyTypes: (/post/2020/02/azure-
kubernetes-aks-security-
- Ingress
best-practices-part-2-of-4/)
ingress: Feb 11, 2020
- from:
Azure Kubernetes (AKS)
- podSelector: Security Best Practices Part
1 of 4: Designing Secure
matchLabels: Clusters and Container
Images
deployment-a-pod-label-1-key: deployment-a-pod-label-1-value
(/post/2020/01/azure-
deployment-a-pod-label-2-key: deployment-a-pod-label-2-value kubernetes-aks-security-
best-practices-part-1-of-4/)
Jan 27, 2020
(unfortunately, Kubernetes does not have any labels on namespaces by default) and add a Jan 15, 2020
namespaceSelector query next to the podSelector query. To label a namespace, you can simply run Kubernetes Networking
Demysti ed: A Brief Guide
the command: kubectl label namespace <name> networking/namespace=<name> (/post/2020/01/kubernetes-
networking-demysti ed/)
With this namespace label in place, you can allow deployment A in namespace N1 to talk to Jan 09, 2020
the following pair of network policies, which allow pods labeled networking/allow-all-
Istio Security: Running
connections=true to talk to all other pods in the same namespace: Microservices on Zero-
Trust Networks
(/post/2019/08/istio-
security-basics-running-
microservices-on-zero-
trust-networks/)
Aug 01, 2019
You can then apply the networking/allow-all-connections=true label to all newly created
7 Critical Kubernetes
deployments, so that your application works until you create specially crafted network policies for Security Issues Resolved
by Upgrading Your k8s
them, at which point you can remove the label. (/post/2019/01/critical-
kubernetes-security-
issues-resolved-in-recent-
kubernetes-versions/)
more about these capabilities in our network policy enforcement (/policy-enforcement/) discussion.
Hardening Docker
containers, images, and
/
host - security toolkit
Note: All the example YAMLs in this article can be downloaded at
Register for our next webcast - securing containers and Kubernetes with StackRox SAVE MY SEAT >
(/post/2017/08/hardening-
https://github.com/stackrox/network-policy-examples ⧉ docker-containers-and-
hosts-against-
vulnerabilities-a-security-
(/) toolkit/)
Categories:
Aug 10, 2017
Tags:
STACKROX
Visibility (/use- AWS (/solutions/aws- GKE Security Best Practices Abou
100 View Street, Suite 204
(/WHY-
cases/visibility/) security/) (https://www.stackrox.com/post/2020/07/gke- (/abo
Mountain View, CA 94041
STACKROX/)
security-best-practices-designing-secure-
+1 (650) 385-8329 Vulnerability Azure Team
PLATFORM clusters/)
Management (/use- (/solutions/microsoft-
Partn
(/PLATFORM/) cases/vulnerability- azure-security/) CIS Benchmarks for Kubernetes
(/part
management/) (https://www.stackrox.com/wiki/cis-
CUSTOMERS Docker
Upco
benchmarks-for-kubernetes/)
(/CUSTOMERS/) Compliance (/use- (/solutions/docker-
CONTACT US Event
cases/compliance/) security/) PCI compliance in container and Kubernetes
(/new
RESOURCES
environments
Network Google Cloud
(/ASSETS/) Caree
(https://www.stackrox.com/wiki/pci-dss-
Segmentation (/use- Platform
(/care
compliance-containers-kubernetes/)
BLOG (/POST/) cases/network- (/solutions/gke-
News
segmentation/) security-for-google- Kubernetes Security 101
WIKI (/WIKI/) (/new
cloud-platform/) (/post/2020/05/kubernetes-security-101/)
Risk Pro ling (/use-
(/solutions/red-hat- security-101/)
Con guration
openshift-security/)
Management (/use- EKS Security Best Practices
(/solutions/pks-
Threat Detection Kubernetes Network Policies
security/)
(/use-cases/threat- (/post/2019/04/setting-up-kubernetes-
(/solutions/rancher-
Incident Response Kubernetes Con guration Best Practices
security/)
(/use- (/post/2019/09/12-kubernetes-con guration-
response/) (/solutions/federal-
Istio Security Basics (/post/2019/08/istio-
agencies/)
security-basics-running-microservices-on-
zero-trust-networks/)
(/kubernetes-adoption-security-and-market-
share-for-containers/)
/
Admission Controllers (/post/2019/03/11-tips-
Register for our next webcast - securing containers and Kubernetes with StackRox SAVE MY SEAT >
to-operationalizing-kubernetes-admission-
controllers-for-better-security/)
(/)
Hardening Docker Containers and Images
(/post/2017/08/hardening-docker-containers-
and-hosts-against-vulnerabilities-a-security-
toolkit/)