Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network Policy can be used to selectively allow metadata access to the pods #84

Closed
sotoiwa opened this issue Apr 16, 2021 · 3 comments
Closed

Network Policy can be used to selectively allow metadata access to the pods #84

sotoiwa opened this issue Apr 16, 2021 · 3 comments
Assignees
@jicowan
Labels
idea New best practices idea

Comments

@sotoiwa
Copy link
Contributor

sotoiwa commented Apr 16, 2021
edited
Loading

Is your idea request related to a problem that you've solved? Please describe.

The above topics describes how to block access to instance metadata

In my experience, the Kinesis Client Library used by some Pods does not support IRSA. So I could not block metadata access because using only IMDSv2 and setting hop count to 1 or using iptables would target all the Pods on the node.

However I could use Kubernetes Network Policy to selectively allow metadata access to the pods.

How about adding a description of how to block metadata access using Network Policy?

Describe the best practice

You can use Kubernetes Network Policy to block metadata access and selectively allow to some pods.

At first, block access to the metadata service from all pods by adding following policy.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-metadata-access
  namespace: example
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 169.254.169.254/32

Then allow access from some pods by adding following policy.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-metadata-access
  namespace: example
spec:
  podSelector:
    matchLabels:
      app: myapp  
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 169.254.169.254/32
@sotoiwa sotoiwa added the idea New best practices idea label Apr 16, 2021
@jicowan
Copy link
Contributor

jicowan commented Apr 20, 2021

Updated documentation. Thanks for the suggestion.

@jicowan jicowan closed this as completed Apr 20, 2021
@wyike
Copy link

wyike commented Oct 11, 2021
edited
Loading

@jicowan @sotoiwa per my understanding, deny-metadata-access and allow-metadata-access networkpolicy take effect namespace-wide. If we want to implement in several namespaces, we need to create them in different namespaces, am i right. Is it worth to point out as well in documentation?

@sotoiwa
Copy link
Contributor Author

sotoiwa commented Oct 11, 2021

It is true that the Kubernetes standard NetworkPolicy is namespace scoped. However, I think there are cases where CNI's own global scope policies are available, such as Calico's GlobalNetworkPolicy or Cilium's CiliumClusterwideNetworkPolicy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jicowan jicowan

Labels
idea New best practices idea
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jicowan @sotoiwa @wyike