|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * networking/network_security/AdminNetworkPolicy/ovn-k-egress-nodes-networks-peer.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: CONCEPT |
| 6 | +[id="nw-anp-egress_{context}"] |
| 7 | += Northbound traffic controls for AdminNetworkPolicy and BaselineAdminNetworkPolicy |
| 8 | + |
| 9 | +In addition to supporting east-west traffic controls, ANP and BANP also allow administrators to control their northbound traffic leaving the cluster or traffic leaving the node to other nodes in the cluster. End-users can do the following: |
| 10 | + |
| 11 | +* Implement egress traffic control towards cluster nodes using `nodes` egress peer |
| 12 | +
|
| 13 | +* Implement egress traffic control towards Kubernetes API servers using `nodes` or `networks` egress peers |
| 14 | +
|
| 15 | +* Implement egress traffic control towards external destinations outside the cluster using `networks` peer |
| 16 | +
|
| 17 | +[NOTE] |
| 18 | +==== |
| 19 | +For ANP and BANP, `nodes` and `networks` peers can be specified for egress rules only. |
| 20 | +==== |
| 21 | + |
| 22 | +[id="egress-traffic-control-towards-cluster-nodes_{context}"] |
| 23 | +== Using nodes peer to control egress traffic to cluster nodes |
| 24 | + |
| 25 | +Using the `nodes` peer administrators can control egress traffic from pods to nodes in the cluster. A benefit of this is that you do not have to change the policy when nodes are added to or deleted from the cluster. |
| 26 | + |
| 27 | +The following example allows egress traffic to the Kubernetes API server on port `6443` by any of the namespaces with a `restricted`, `confidential`, or `internal` level of security using the node selector peer. It also denies traffic to all worker nodes in your cluster from any of the namespaces with a `restricted`, `confidential`, or `internal` level of security. |
| 28 | + |
| 29 | +.Example of ANP `Allow` egress using `nodes` peer |
| 30 | +[%collapsible] |
| 31 | +==== |
| 32 | +[source,yaml] |
| 33 | +---- |
| 34 | +apiVersion: policy.networking.k8s.io/v1alpha1 |
| 35 | +kind: AdminNetworkPolicy |
| 36 | +metadata: |
| 37 | + name: egress-security-allow |
| 38 | +spec: |
| 39 | + egress: |
| 40 | + - action: Deny |
| 41 | + to: |
| 42 | + - nodes: |
| 43 | + matchExpressions: |
| 44 | + - key: node-role.kubernetes.io/worker |
| 45 | + operator: Exists |
| 46 | + - action: Allow |
| 47 | + name: allow-to-kubernetes-api-server-and-engr-dept-pods |
| 48 | + ports: |
| 49 | + - portNumber: |
| 50 | + port: 6443 |
| 51 | + protocol: TCP |
| 52 | + to: |
| 53 | + - nodes: <1> |
| 54 | + matchExpressions: |
| 55 | + - key: node-role.kubernetes.io/control-plane |
| 56 | + operator: Exists |
| 57 | + - pods: <2> |
| 58 | + namespaceSelector: |
| 59 | + matchLabels: |
| 60 | + dept: engr |
| 61 | + podSelector: {} |
| 62 | + priority: 55 |
| 63 | + subject: <3> |
| 64 | + namespaces: |
| 65 | + matchExpressions: |
| 66 | + - key: security <4> |
| 67 | + operator: In |
| 68 | + values: |
| 69 | + - restricted |
| 70 | + - confidential |
| 71 | + - internal |
| 72 | +---- |
| 73 | +<1> Specifies a node or set of nodes in the cluster using the `matchExpressions` field. |
| 74 | +<2> Specifies all the pods labeled with `dept: engr`. |
| 75 | +<3> Specifies the subject of the ANP which includes any namespaces that match the labels used by the network policy. The example matches any of the namespaces with `restricted`, `confidential`, or `internal` level of `security`. |
| 76 | +<4> Specifies key/value pairs for `matchExpressions` field. |
| 77 | +==== |
| 78 | + |
| 79 | +[id="egress-traffic-control-networks-peer-external-destinations_{context}"] |
| 80 | +== Using networks peer to control egress traffic towards external destinations |
| 81 | + |
| 82 | +Cluster administrators can use CIDR ranges in `networks` peer and apply a policy to control egress traffic leaving from pods and going to a destination configured at the IP address that is within the CIDR range specified with `networks` field. |
| 83 | + |
| 84 | +The following example uses `networks` peer and combines ANP and BANP policies to restrict egress traffic. |
| 85 | + |
| 86 | +[IMPORTANT] |
| 87 | +==== |
| 88 | +Use the empty selector ({}) in the `namespace` field for ANP and BANP with caution. When using an empty selector, it also selects OpenShift namespaces. |
| 89 | +
|
| 90 | +If you use values of `0.0.0.0/0` in a ANP or BANP `Deny` rule, you must set a higher priority ANP `Allow` rule to necessary destinations before setting the `Deny` to `0.0.0.0/0`. |
| 91 | +==== |
| 92 | + |
| 93 | +.Example of ANP and BANP using `networks` peers |
| 94 | +[%collapsible] |
| 95 | +==== |
| 96 | +[source,yaml] |
| 97 | +---- |
| 98 | +apiVersion: policy.networking.k8s.io/v1alpha1 |
| 99 | +kind: AdminNetworkPolicy |
| 100 | +metadata: |
| 101 | + name: network-as-egress-peer |
| 102 | +spec: |
| 103 | + priority: 70 |
| 104 | + subject: |
| 105 | + namespaces: {} # Use the empty selector with caution because it also selects OpenShift namespaces as well. |
| 106 | + egress: |
| 107 | + - name: "deny-egress-to-external-dns-servers" |
| 108 | + action: "Deny" |
| 109 | + to: |
| 110 | + - networks:<1> |
| 111 | + - 8.8.8.8/32 |
| 112 | + - 8.8.4.4/32 |
| 113 | + - 208.67.222.222/32 |
| 114 | + ports: |
| 115 | + - portNumber: |
| 116 | + protocol: UDP |
| 117 | + port: 53 |
| 118 | + - name: "allow-all-egress-to-intranet" |
| 119 | + action: "Allow" |
| 120 | + to: |
| 121 | + - networks: <2> |
| 122 | + - 89.246.180.0/22 |
| 123 | + - 60.45.72.0/22 |
| 124 | + - name: "allow-all-intra-cluster-traffic" |
| 125 | + action: "Allow" |
| 126 | + to: |
| 127 | + - namespaces: {} # Use the empty selector with caution because it also selects OpenShift namespaces as well. |
| 128 | + - name: "pass-all-egress-to-internet" |
| 129 | + action: "Pass" |
| 130 | + to: |
| 131 | + - networks: |
| 132 | + - 0.0.0.0/0 <3> |
| 133 | +--- |
| 134 | +apiVersion: policy.networking.k8s.io/v1alpha1 |
| 135 | +kind: BaselineAdminNetworkPolicy |
| 136 | +metadata: |
| 137 | + name: default |
| 138 | +spec: |
| 139 | + subject: |
| 140 | + namespaces: {} # Use the empty selector with caution because it also selects OpenShift namespaces as well. |
| 141 | + egress: |
| 142 | + - name: "deny-all-egress-to-internet" |
| 143 | + action: "Deny" |
| 144 | + to: |
| 145 | + - networks: |
| 146 | + - 0.0.0.0/0 <3> |
| 147 | +--- |
| 148 | +---- |
| 149 | +<1> Use `networks` to specify a range of CIDR networks outside of the cluster. |
| 150 | +<2> Specifies the CIDR ranges for the intra-cluster traffic from your resources. |
| 151 | +<3> Specifies a `Deny` egress to everything by setting `networks` values to `0.0.0.0/0`. Make sure you have a higher priority `Allow` rule to necessary destinations before setting a `Deny` to `0.0.0.0/0` because this will deny all traffic including to Kubernetes API and DNS servers. |
| 152 | +==== |
| 153 | + |
| 154 | +Collectively the `network-as-egress-peer` ANP and `default` BANP using `networks` peers enforces the following egress policy: |
| 155 | + |
| 156 | +* All pods cannot talk to external DNS servers at the listed IP addresses. |
| 157 | + |
| 158 | +* All pods can talk to rest of the company's intranet. |
| 159 | + |
| 160 | +* All pods can talk to other pods, nodes, and services. |
| 161 | + |
| 162 | +* All pods cannot talk to the internet. Combining the last ANP `Pass` rule and the strong BANP `Deny` rule a guardrail policy is created that secures traffic in the cluster. |
| 163 | + |
| 164 | +[id="combined-nodes-peer-networks-peer-anp"] |
| 165 | +== Using nodes peer and networks peer together |
| 166 | + |
| 167 | +Cluster administrators can combine `nodes` and `networks` peer in your ANP and BANP policies. |
| 168 | + |
| 169 | +.Example of `nodes` and `networks` peer |
| 170 | +[%collapsible] |
| 171 | +==== |
| 172 | +[source,yaml] |
| 173 | +---- |
| 174 | +apiVersion: policy.networking.k8s.io/v1alpha1 |
| 175 | +kind: AdminNetworkPolicy |
| 176 | +metadata: |
| 177 | + name: egress-peer-1 <1> |
| 178 | +spec: |
| 179 | + egress: <2> |
| 180 | + - action: "Allow" |
| 181 | + name: "allow-egress" |
| 182 | + to: |
| 183 | + - nodes: |
| 184 | + matchExpressions: |
| 185 | + - key: worker-group |
| 186 | + operator: In |
| 187 | + values: |
| 188 | + - workloads # Egress traffic from nodes with label worker-group: workloads is allowed. |
| 189 | + - networks: |
| 190 | + - 104.154.164.170/32 |
| 191 | + - pods: |
| 192 | + namespaceSelector: |
| 193 | + matchLabels: |
| 194 | + apps: external-apps |
| 195 | + podSelector: |
| 196 | + matchLabels: |
| 197 | + app: web # This rule in the policy allows the traffic directed to pods labeled apps: web in projects with apps: external-apps to leave the cluster. |
| 198 | + - action: "Deny" |
| 199 | + name: "deny-egress" |
| 200 | + to: |
| 201 | + - nodes: |
| 202 | + matchExpressions: |
| 203 | + - key: worker-group |
| 204 | + operator: In |
| 205 | + values: |
| 206 | + - infra # Egress traffic from nodes with label worker-group: infra is denied. |
| 207 | + - networks: |
| 208 | + - 104.154.164.160/32 # Egress traffic to this IP address from cluster is denied. |
| 209 | + - pods: |
| 210 | + namespaceSelector: |
| 211 | + matchLabels: |
| 212 | + apps: internal-apps |
| 213 | + podSelector: {} |
| 214 | + - action: "Pass" |
| 215 | + name: "pass-egress" |
| 216 | + to: |
| 217 | + - nodes: |
| 218 | + matchExpressions: |
| 219 | + - key: node-role.kubernetes.io/worker |
| 220 | + operator: Exists # All other egress traffic is passed to NetworkPolicy or BANP for evaluation. |
| 221 | + priority: 30 <3> |
| 222 | + subject: <4> |
| 223 | + namespaces: |
| 224 | + matchLabels: |
| 225 | + apps: all-apps |
| 226 | +---- |
| 227 | +<1> Specifies the name of the policy. |
| 228 | +<2> For `nodes` and `networks` peers, you can only use northbound traffic controls in ANP as `egress`. |
| 229 | +<3> Specifies the priority of the ANP, determining the order in which they should be evaluated. Lower priority rules have higher precedence. ANP accepts values of 0-99 with 0 being the highest priority and 99 being the lowest. |
| 230 | +<4> Specifies the set of pods in the cluster on which the rules of the policy are to be applied. In the example, any pods with the `apps: all-apps` label across all namespaces are the `subject` of the policy. |
| 231 | +==== |
0 commit comments