CodeClinch
commented
5 years ago Currently, there is only one network policy available, which blocks all egress traffic. I think this feature should be extended in the following way:
Add more pre-defined network policies so that a user can choose the best fit for his requirements. And it should also be possible that a user can create a custom network policy if the defaults are not fitting.
The following network policies should be provided:
Level 1)
- Block metadata service
- Block access to kube-system namespace
- Block access to the host network
Level 2)
- Level 1
- Block internet access (egress)
Level 3)
- Level 2
- Permit pod to pod communication only within a namespace (block all communication between pods of different namespaces)
Level 4
- Custom network policies
By default, the level 2 network policy will be created whenever a namespace is created. This default should be specified in the KarydiaSecurityPolicy and can be overwritten with an annotation on a selected namespace.
@marwinski would be great if you could give feedback.
alban
Neumann-Nils
I like the default NetworkPolicy switch for karydia, however I believe it is too static.
I can currently think of two policies to add when a namespace is created:
This resolves quite some possible vulnerabilities, however this might be too strict and some pods might want to opt out of this (e.g. get access to the metadata service and/or the hosts).