Support & Checks for Host Security

[vasu1124]

Description

Support & Checks for Host Security

User Story

As cluster admin I want to ensure that my network (overlay and underlay) is secured by network policies. I additionally can rely on IaaS security groups and other features.

[OPTIONAL] Implementation idea

Calico offers Host Endpoint objects to secure at the host level: https://docs.projectcalico.org/v3.8/security/host-endpoints/

[CodeClinch]

After an investigation of this suggestion, I really like the idea of closing some open doors with calico directly. We have to find a good integration. For a prototype I did the following steps to get the policies into the cluster:

• Create an example pod and a service (bound to host port)

• Create a pod to apply calico GlobalNetworkPolicy

  • Add a clusterrole which allows the creation of GlobalNetworkPolicy to the service account

  • Install calicoctl in the pod add environment variable set DATASTORE_TYPE=kubernetes (Furhter Parameter if necessary)

  • Create policy

Further things to evaluate:

• How could exceptions be defined
• What else could be secured with calico network policies

[Neumann-Nils]

Thanks for your suggestion and sorry that it took us so long to reply. I took a deeper look into Calico and how we could use its features in Karydia.

First, I checked if it is reasonable to add Calico features to Karydia with an appropriate effort, which is definitely the case. I already tested out an implementation sketch to use/apply Calico-managed resources (e.g. GlobalNetworkPolicies and NetworkPolicies) with Karydia (also described here):

1. Create a service account with sufficient permission for creating the defined policies
2. Run a pod with calicoctl that applies the policies and other calico-specific resources
3. Kill the pod after it is finished
4. Remove all calico-related resources created by Karydia if Karydia is deleted

During this test scenario, I had some troubles using HostEndpoints as Karydia is running within the cluster and does not have an overview of all endpoints. Moreover, I am not sure how the use-case would look like and which security benefits should be achieved by your proposed implementation idea. Can you give us some more information about the usage of HostEndpoints within the NetworkPolicies and your motives behind this approach?