Risks

Disabling Unwanted Communications within Kubernetes

Network Policies in Kubernetes Containers

Pods can "communicate" with endpoints and services without restrictions.

If a container/pod is invaded by the attacker, the attacker typically tries to access other containers/pods or the host machine. Network Policies prevent this attempt of the attacker.

We recommend creating a Network Policy with the Deny-All rule in each namespace and refraining from so-called Global Network Policies, as these are administratively confusing and pose a security risk.

  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    name: deny-all
    namespace: default ### should be created for all namespaces!
 spec:
    podSelector: {}
    policyTypes:
    - Ingress
    - Egress

and then to allow all permitted communications between the pods again with further Network Policies.

We also recommend that at least one person is in charge of the Network Policies.

Any Questions?

Please feel free to contact us for any question that is not answered yet. 

We are looking forward to get in contact with you!

Newsletter

Design Escapes

KubeOps GmbH
Hinter Stöck 17
72406 Bisingen
Germany

  • Telefon:

    +49 7433 93724 90

  • Mail:

    This email address is being protected from spambots. You need JavaScript enabled to view it.

Download Area
Certified as

KubeOps GmbH is the owner of the Union trademark KubeOps with the registration number 018305184. 

© KubeOps GmbH. All rights reserved. Subsidiary of