How to disallow access to a container port from the pod ip in Kubernetes

Question

By default Kubernetes allow pods to access other pods using the pod IP.

I have 2 pods. Pod1 and Pod2. Pod1 has a mysql server and a PHP application. And Pod2 has a php application. The Pod1 ip is 174.17.0.4, Within the Pod2 the php application can access the mysql server from the address 174.17.0.4:3306.

The Pod1 and the Pod2 are 2 different applications. Pod2 doesn't have nothing to do with Pod1. So my concern is if Pod2 got hacked, the hacker can scan the network and brute force attack the Pod1 mysql server.

How can I disallow access to the mysql port 3306 from outside the pod1?

score 2 · Answer 1 · answered Jan 15 '20 at 23:29

2

If your cluster setup supports NetworkPolicy resource, you can look into network policy. With it, you can set specific ingress and egress policies to specific pods.

answered Jan 15 '20 at 23:29

L-Tan

121
2

Note: You can check from [this post](https://itnext.io/benchmark-results-of-kubernetes-network-plugins-cni-over-10gbit-s-network-updated-april-2019-4a9886efe9c4#32ee) if your cluster's CNI supports Network Policy. – bells17 Jan 16 '20 at 01:31

score 0 · Accepted Answer · answered Jan 18 '20 at 16:15

First step to declare a Network Policy is to install a network provider with network policy support. For more info follow this link. As I was using Minikube, I installed Cilium. Follow this link on how to install it. And make sure you have enough space on your hard drive otherwise you the Cilium pods will be in pending state with this error in events 1 node had taints that the pod didn't tolerate.

How to disallow access to a container port from the pod ip in Kubernetes

2 Answers2