Disabling Unwanted Communications within Kubernetes
Disabling Unwanted Communications within Kubernetes
Network Policies in Kubernetes Containers
Pods can "communicate" with endpoints and services without restrictions.
If a container/pod is invaded by the attacker, the attacker typically tries to access other containers/pods or the host machine. Network Policies prevent this attempt of the attacker.
We recommend creating a Network Policy with the Deny-All rule in each namespace and refraining from so-called Global Network Policies, as these are administratively confusing and pose a security risk.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default ### should be created for all namespaces!
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
and then to allow all permitted communications between the pods again with further Network Policies.
We also recommend that at least one person is in charge of the Network Policies.