0

I have a Kubernetes cluster, and for reasons I won't go into here, I also have a VM instance (running a single Docker container) on the same network, providing a specific kind of ingress and forwarding that traffic to an internal LoadBalancer type of k8s service.

This is all working fine. Now I want to restrict the network access of this VM to not have access to anything except the IP of the internal LoadBalancer.

What are my options for achieving this?

Niel de Wet
  • 101
  • 1
  • Ok, just for clarify, how the docker container is expose to the network? You can use firewall rules to controle the instance access, but i didn't understand how your load balance is configured. COuld you please describe in more details? – Mr.KoopaKiller Oct 27 '20 at 08:11
  • @KoopaKiller `create-with-container` instances run their Docker containers on the host network, so it shares that same network. The LB is a kubernetes service created with the the "LoadBalancer" type and "Internal" annotation. – Niel de Wet Oct 29 '20 at 07:27
  • Ok, if you use nginx-ingress with annotation [`whitelist-source-range`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range) is an option... but you will neet to change your service to ingress. Depending of what CNI you are running, you can try to use [NetworkPolicies](https://kubernetes.io/docs/concepts/services-networking/network-policies/). – Mr.KoopaKiller Nov 03 '20 at 08:38

1 Answers1

1

You can define an egress firewall rules that will only affect this VM, you will need 2.

For both rules, define the target as your VM instance running the docker container and set the protocols and ports to all.

For the first rule:

  • define the action as allow
  • define the destination as the IP of your internal load balancer.
  • define the priority to 900

For the second rule:

  • define the action as deny
  • define the destination as 0.0.0.0/0
  • define the priority to 1100

This will ensure that the allow rule will take priority over deny all rule. It will also ensure the deny all rule takes precedence over the implied allow all egress rule.

The first rule will allow egress traffic to your load balancer IP only, while the deny all rule will block all other egress traffic. If you only want to restrict traffic internal to your VPC, replace 0.0.0.0/0 with the internal IP range you use for the VPC (default is 10.0.0.0/17).

Patrick W
  • 582
  • 2
  • 8