search

aws / aws-network-policy-agent

Apache License 2.0
45 stars 29 forks source link

Network policy "strict" mode allows ingress even if "Egress" is the only policy type defined #319

Open bogatuadrian opened 1 month ago

bogatuadrian commented 1 month ago

Disclaimer: This behavior might very well be intended, but it could be better explained in the docs for NETWORK_POLICY_ENFORCING_MODE.

What happened:

If NETWORK_POLICY_ENFORCING_MODE is configured to strict, if a pod is only targeted with egress-only network policies, ingress is still allowed.

For example, given the following network policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-allow-egress
spec:
  podSelector: {}
  egress: {}
  policyTypes:
    - Egress # note that this policy is only egress

if there is a pod for which this is the only network policy, the pod will allow inbound network connectivity.

This might be intended, but my expectation was that the strict mode disallows all traffic that's not explicitly allowed, and the pod isolation would take policyTypes into consideration, so if there is the only policy type in all network policies for a pod is Egress, then ingress should be blocked.

The docs state:

However, in the strict mode, a new pod will be blocked from Egress and Ingress connections till a qualifying Network Policy is applied

However, it was my expectation that a egress-only network policy is not qualifying for ingress traffic purposes. At the same time, the Kubernetes docs consider a pod to not be ingress-isolated if there is no Network Policy with the Ingress policy type defined.

Our use-case:

We would like to disallow ingress by default for all pods without needing to explicitly add a network policy with policy type Ingress. It's funny that, out of the box, strict mode enabled us to do this for pods without network policies, but if we create a network policy that only targets Egress, we accidentally and inadvertently allow ingress to said pod.

Environment:

Pavani-Panakanti commented 1 day ago

bogatuadrian@ We will update our documentation to state this more explicitly. In strict mode when no network policies are applied the default is deny all. Once any kind of network policy is applied (ingress or egress), the default deny is no longer applicable. From here it is as upstream states, no ingress policy means no ingress pod isolation.