Add egress rules to network policies

[tomaley]

Strimzi has NetworkPolicy Ingress rules to isolate the pod network and control which pods are allowed to make an incoming connection on a chosen port.

Egress rules are also desired as it protects other pods in the event that a container within the cluster is compromised by limiting the ports and destinations to which the compromised container can communicate.

Zookeeper Egress Rules:

• CLUSTERING_PORT to other Zookeeper pods
• LEADER_ELECTION_PORT to other Zookeeper pods

Kafka Egress Rules:

• ZOOKEEPER_CONNECT port to Zookeeper pods
• REPLICATION_PORT to other Kafka pods

[scholzj]

I think that is reasonable. But which CNI plugin which actually supports egress policies are you using? We need to be able to have some reasonable way to test these things etc.

[tomaley]

Points raised by @scholzj

• Missing egress rules for OAUTH
• Missing egress rules for Tracing
• Should be configurable to not limit extensibility

[tomaley]

The requirement for configurable design, tracing egress and OAuth egress changes the balance of the work vs. reward for egress rules. Although they would protect against compromised containers from making connections to arbitrary locations, ingress rules provide a level of protection for the components and a bad actor executing arbitrary code within a container may be able to alter/circumvent the policies if they have got that far.

Also, as mentioned above, the CNI plugin used in the cluster would need to support egress policies so it is not a feature that applies to everyone.

If development of egress rules is deemed worthwhile in the future, the OAuth mechanism would require Kafka to be able to egress traffic to the chosen OAuth 2.0 provider on the introspection address:port and potentially users should be able to configure egress rules in the CR - perhaps with a toggle for the known components so that the operator can create the known rules and then the ability to add rules arbitrarily.

[cp38510]

Hello!! Did I clearly understand that now egress network policy is not supported by the operator? or where can I find a manual about setting up it?

[scholzj]

Yes, that is correct. They are not supported / managed by the operator. I think that the operator does not touch egress policies at all. So you might be able to just manage them your self manually if your networking supports it.

[cp38510]

Yes, that is correct. They are not supported / managed by the operator. I think that the operator does not touch egress policies at all. So you might be able to just manage them your self manually if your networking supports it.

Ok, thank you!

[scholzj]

Triaged on 17.3.2022: Not a priority right now. But it might be useful addiiton. Proposal is needed to cover how it would be implemented and how would it deal with things such as OPA, Oauth connections etc.