search

ahmetb / kubernetes-network-policy-recipes

Example recipes for Kubernetes Network Policies that you can just copy paste
Apache License 2.0
5.69k stars 1.73k forks source link

example for - allow egress only to public addresses #105

Open floge07 opened 1 year ago

floge07 commented 1 year ago

proposal to add an example for "allow egress only to public addresses".

In our use case, where we execute some user-configured rest calls, the service running those should not have access to internal Kubernetes endpoints. Took me a while of searching to end up with this policy, given that I'm not that knowledgeable about this topic. I think we can spare other people that, by including this as an example here (since this repo is linked in the official docs) And maybe someone notices a flaw in this.

spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
      - namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: kube-system
        podSelector:
          matchLabels:
            k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          except:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16

Allows...

  1. DNS resolve requests
  2. All IPs except the IP ranges defined as private
boredabdel commented 1 year ago

Sounds like a good idea.