search

mathieu-benoit / my-kubernetes-deployments

0 stars 0 forks source link

myblog - `NetworkPolicies` improvements #7

Open mathieu-benoit opened 3 years ago

mathieu-benoit commented 3 years ago

I'm wondering if I could improve the NetworkPolicies setup with myblog:

Egress is all open, could I restrict the egress wide open but just for the istio-proxy sidecar which needs this? But maybe not the myblog Pod? Today I use the app=myblog selector: https://github.com/mathieu-benoit/my-kubernetes-deployments/blob/main/namespaces/myblog/myblog/networkpolicies.yaml#L18

Does this istio-proxy sidecar needs this below for example?

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-to-istiod
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          app.kubernetes.io/name: istio-controlplane   # label name for istio-system namespace
    - podSelector:
        matchLabels:
          istio: pilot   # label match for istiod pods
  - ports:
    - port: 53
      protocol: TCP
    - port: 53
      protocol: UDP

And what about the fact that it sends trace to Cloud Monitoring/Trace?

Further considerations too, when I will add the IngressGateway in front of myblog, should I need to change/restrict the Ingress rules like illustrated with productpage in there?

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: product-page-ingress
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: productpage
  ingress:
  - ports:
    - protocol: TCP
      port: 9080
    from:
    - podSelector:
        matchLabels:
          istio: ingress
mathieu-benoit commented 3 years ago

For the last part with the IngressGateway, it's now taken into account since https://github.com/mathieu-benoit/my-kubernetes-deployments/commit/777f26f4f6d206afbf41b1a2fe0d89a7e967b30b with the addition of myblog in the ASM mesh and the new asm-ingress namespace.