kubernetes networkpolicy allow external traffic to internet only

Question

Im trying to implement network policy in my kubernetes cluster to isolate my pods in a namespace but still allow them to access the internet since im using Azure MFA for authentication.

This is what i tried but cant seem to get it working. Ingress is working as expected but these policies blocks all egress.


apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: grafana-policy
  namespace: default
spec:
  podSelector:
    matchLabels: 
      app: grafana
  ingress:
  - from:
    - podSelector:
       matchLabels: 
        app: nginx-ingress

Anybody who can tell me how i make above configuration work so i will also allow internet traffic but blocking traffic to other POD's?

score 11 · Answer 1 · edited Jul 23 '21 at 00:52

11

Try adding a default deny all network policy on the namespace:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

Then adding an allow Internet policy after:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-internet-only
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.0.0.0/8
        - 192.168.0.0/16
        - 172.16.0.0/20

This will block all traffic except for internet outbound. In the allow-internet-only policy, there is an exception for all private IPs which will prevent pod to pod communication.

You will also have to allow Egress to Core DNS from kube-system if you require DNS lookups, as the default-deny-all policy will block DNS queries.

edited Jul 23 '21 at 00:52

GACy20

949
1
6
14

answered Sep 08 '19 at 20:51

user12009826

126
2

Does not work for me :( when i add this my PODs are still able to communicate but they are not able to access the internet. – superset Sep 19 '19 at 13:47
3

I believe `172.16.0.0/20` should be `172.16.0.0/12` as per https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses – Chris Smith Oct 17 '20 at 15:53
Seems like `cidr` should be indented one more level than`ipBlock`. – Doctor Mar 19 '21 at 14:11
[Allow DNS egress traffic example from Calico (K8s-native)](https://docs.projectcalico.org/security/tutorials/kubernetes-policy-advanced#5-allow-dns-egress-traffic). Make sure you have the correct namespace **label** (`kubectl get ns --show-labels kube-system`), for K3s it was actually `kubernetes.io/metadata.name=kube-system` – Christopher Markieta Dec 29 '21 at 02:35
This policy blocks all egress when i apply it to my namespace :( I have even tried removing the "except" section, and still all egress (fro curl) is blocked. – Esben Eickhardt Jul 22 '22 at 06:56
@EsbenEickhardt you need to whitelist the DNS server too. I added an answer to complement this – Pithikos Feb 28 '23 at 19:07

score 1 · Answer 2 · answered Feb 28 '23 at 19:08

Something like what @user100.. should do but you ALSO need to allow DNS lookup on top of that like below.


  egress:

  # Allow communication to Kubernetes DNS service
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
    - podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: UDP
      port: 53

  # Allow internet access
  - to:
    - ipBlock: 
        cidr: 0.0.0.0/0

        # Exclude traffic to Kubernetes service IPs and pods
        except:
          - 10.0.0.0/8
          - 172.16.0.0/12
          - 192.168.0.0/16

score 0 · Answer 3 · edited Jun 20 '20 at 09:12

Kubernetes will allow all traffic unless there is a network policy. If a Network Policy is set, it will only allow traffic set by the network policy and deny everything else.

By default, pods are non-isolated; they accept traffic from any source.

Pods become isolated by having a NetworkPolicy that selects them. Once there is any NetworkPolicy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any NetworkPolicy. (Other pods in the namespace that are not selected by any NetworkPolicy will continue to accept all traffic.)

https://kubernetes.io/docs/concepts/services-networking/network-policies/#isolated-and-non-isolated-pods

So you will need to specify the Egress rules as well in order for it to work the way you want :)

score -1 · Answer 4 · answered Sep 04 '19 at 14:51

-1

Can you try like this?

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress,Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0

It should allow egress to all destinations. But if the destination is a pod, it should be blocked by the lacking ingress rules of the same NetworkPolicy.

answered Sep 04 '19 at 14:51

weibeld

13,643
2
36
50

I already tried something like this,anyway i just added your NetworkPolicy and my pod are able to talk with Azure but pod to pod traffic is still getting allowed. i'm testing by taking a console to the pod and doing curl to another pod in same namespace. – superset Sep 05 '19 at 07:08

kubernetes networkpolicy allow external traffic to internet only

4 Answers4

Linked