Kubernetes Network Policy Egress only allow to certain IP and port
Asked Answered
F

1

5

I am running Kubernetes 1.9.6 with Weave Net 2.4.0. I am trying to lock down access to the Kubernetes internal DNS server and a specific port on another host. I cannot seem to find the proper format for the egress.

I know the following is not a valid policy but is a representation of what I want to do. How do I write the network policy to support this?

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
    name: test-network-policy
    namespace: dev
spec:
    podSelector:
        matchLabels:
            app: plem-network-policy
policyTypes:
- Egress
egress:
- to:
    - ipBlock:
        cidr: 10.3.0.10/32
        ports:
        - protocol: TCP
        port: 53
        - protocol: UDP
        port: 53
    - ipBlock:
        cidr: 10.49.100.37/32
        ports:
        - protocol: TCP
        port: 8200
Flintshire answered 14/8, 2018 at 13:23 Comment(0)
F
8

I was not paying enough attention to multiple blocks for the cidr and ports. This is what I was looking for.

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
    name: test-network-policy
    namespace: dev
spec:
    podSelector:
      matchLabels:
        app: plem-network-policy
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.2.0.0/16
    - ipBlock:
        cidr: 10.3.0.10/32
    ports:
    - protocol: UDP
      port: 53
    - protocol: TCP
      port: 53
  - to:
    - ipBlock:
        cidr: 10.49.100.37/32
    - ipBlock:
        cidr: 10.49.100.137/32
    - ipBlock:
        cidr: 10.49.100.85/32
    ports:
    - protocol: TCP
      port: 8200
  - to:
    - ipBlock:
        cidr: 10.29.30.56/32
    ports:
    - protocol: TCP
      port: 5439
Flintshire answered 14/8, 2018 at 14:57 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.