0

I have a Kubernetes cluster with Calico network overlay installed in it. How do I configure a network policy object to prevent pods connecting to the port 10250 (kubelet API) on the nodes? I have something along these lines:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: deny-egress-to-nodes
  namespace: dev
spec:
  podSelector: {}
  policyTypes:
  - Egress
  - Ingress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 172.20.0.0/16
  ingress:
  - {}

This doesn't specifically block port 10250, though. It blocks all egress connections to the nodes, which also blocks communication between the application services running in the cluster. Is there a way to block only egress connections to the port 10250 in the cluster nodes? I know it can be done through IPTABLES, but I'd rather do it via Calico using a network policy object.

Reference: https://raesene.github.io/blog/2018/03/25/kubernetes-network-policies/

pkout
  • 195
  • 2
  • 8

2 Answers2

1

I was able to get it working by creating one more network policy object with the following content:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-egress-to-nodes-on-ports-80-and-443
  namespace: dev
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 172.20.0.0/16
    ports:
    - protocol: TCP
      port: 80
    - protocol: TCP
      port: 443

I had to enable egress connections from the pods on ports 80 and 443 because the pods communicate with each other via HTTP/S. I am not sure why I need to open those ports on the nodes CIDR block though, because the pods as services run on their own CIDR, different, block. So I am not going to mark this as the accepted answer in case someone provides a better answer, but this unblocked me.

pkout
  • 195
  • 2
  • 8
  • So I *think* this will be the way to go, once you have a default deny network policy, you then have to open up ports and hosts as required. I don't think you can have "allow everything apart from this one port" – Rory McCune Jun 06 '18 at 18:30
0

Project Calico is a Pure Layer 3 Approach to Virtual Networking for Highly Scalable Data Centers and it is popular as micro firewall on Kubernetes stack.

You can specify port and protocol with egress IP address pool. Try to apply this configuration:

kubectl create -f - <<EOF
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
 name: deny-egress-to-nodes
 namespace: dev
spec:
 podSelector: {}
 policyTypes:
 - Egress
 - Ingress
 egress:
 - to:
   - ipBlock:
       cidr: 0.0.0.0/0
       except:
       - 172.20.0.0/16
   ports:
   - protocol: TCP
     port: 10250
 ingress:
 - {}

EOF

I've adjusted the configuration based on Project Calico tutorial.

d0bry
  • 186
  • 5
  • Thanks! This doesn't work, unfortunately. The `ports` section specifies what ports are allowed to connect to for egress connections, not which ports are denied to connect to. I need to specify that the port 10250 is denied for egress. Is there a way to specify a range of ports? I tried various things, but it never worked. Something like: [0-10249, 10251-65535]. It doesn't seem to be configurable this way. – pkout Jun 05 '18 at 16:34