Inside Kubernetes network policy

The Kubernetes Networking Model guarantees that all Kubernetes Pods on a Kubernetes Cluster are able to communicate, that is, able to exchange messages. However, the Networking Semantics change in the presence of Networking Policies from Default Allow for all Pods to Default Deny for selected Pods with Explicit Allow:

Default allow

The Kubernetes Network permits all incoming and outgoing messages to and from any Pod per default.

Default deny

However, if there exists some Network Policy selecting a Pod, the Kubernetes Network prohibits all incoming and outgoing messages to and from the Pod per default.

Explicit allow

Then, if there exists some Network Policy selecting a Pod and some rule of the Network Policy allowing Ingress or Egress, the Kubernetes Network permits matching incoming and outgoing messages to and from the Pod.

K8s networking policies

Kubernetes Networking Policies are a core abstraction of Kubernetes: Per Pod, Network Policies determine if an incoming (Ingress) or outgoing (Egress) message is permitted or prohibited by the Kubernetes Network.

Not this

Since Kubernetes Pods are arguably the core abstraction of Kubernetes, one may reasonably conclude that Kubernetes Network Policies express allowed traffic flow holistically in terms of Pods e.g. in terms of a set of Pods, the possible source, and a set of Pods, the possible target. However, this is not how Network Policies work.

But that

A Kubernetes Network Policy determines whether an incoming or outgoing message is either permitted or prohibited. For two Pods to communicate

• both Pods must be unselected or
• there must exist
  • a Network Policy that permits Egress from the source to the target and
  • a Network Policy that permits Ingress to the target from the source.

K8s networking policies: Formal description

A Kubernetes Network Policy Object may be classified as an Ingress or Egress Policy. Note that a Kubernetes Network Policy Object may be an Ingress and Egress Policy at the same time:

Ingress-Policies ≝
  {P ∈ Policies : "Ingress" ∈ as-set(Pol.Spec.PolicyType)}
Egress-Policies ≝
  {P ∈ Policies : "Egress" ∈ as-set(Pol.Spec.PolicyType)}

• Ingress Policies default to deny and explicitly allow incoming messages
• Egress Policies default to deny and explicitly allow outgoing messages of selected Pods.
• Ingress of a Pod is restricted if there is at least one Ingress Network Policy that selects that Pod.
• Egress of a Pod is restricted if there is at least one Ingress Network Policy that selects that Pod.

IngressRestricted(Pod) ≝
  ∃ Pol ∈ Ingress-Policies:
    Pod.Labels match Pol.Spec.PodSelector
EgressRestricted(Pod) ≝
  ∃ Pol ∈ Egress-Policies:
    Pod.Labels match Pol.Spec.PodSelector

• Ingress to a Pod is allowed if the Pod is not restricted or if the Pod is restricted but there exists an Ingress Rule that explicitly allows Ingress to this Pod.

• Egress from a Pod is allowed if the Pod is not restricted or if the Pod is restricted but there exists an Egress Rule that explicitly allows Egress from this Pod.

IngressAllowed(Pod, (sAddr, sPort, tAddr, tPort, Proto)) ≝
 IngressRestricted(Pod)
  ⟹
   ∃ Pol ∈ Ingress-Policies:
     ∧ Pod.Labels match Pol.Spec.PodSelector
     ∧ ∃ Rule ∈ Pol.Spec.Ingress:
       ∧ ∃ Peer ∈ Rule.From:
           PeerAllowed
             (Peer, sAddr)
       # if no port is specified all ports and protocols are allowed
       ∧ Rule.Ports ≠ ∅
          ⟹
           ∃ Port ∈ Rule.Ports:
             ∧ Port.Protocol = Proto
             ∧ Port.Port match tPort
EgressAllowed(Pod, (sAddr, sPort, tAddr, tPort, Proto)) ≝
 EgressRestricted(Pod)
  ⟹
   ∃ Pol ∈ Egress-Policies:
     ∧ Pod.Labels match Pol.Spec.PodSelector
     ∧ ∃ Rule ∈ Pol.Spec.Egress:
       ∧ ∃ Peer ∈ Rule.To:
           PeerAllowed
             (Peer, tAddr)
       # if no port is specified all ports and protocols are allowed
       ∧ Rule.Ports ≠ ∅
          ⟹
           ∃ Port ∈ Rule.Ports:
             ∧ Port.Protocol = Proto
             ∧ Port.Port match tPort

• An Ingress Policy selects its peers based on the Source Address of the incoming message,

• an Egress Policy selects its peers based on the Target Address of the outgoing message, however both follow the same logic.

PeerAllowed(Peer, Addr) ≝
 CASE Peer.PodSelector ≠ NIL Peer.NamespaceSelector ≠ Nil
    → ∃ S ∈ Pods:
        ∧ S.Labels match From.PodSelector
        ∧ S.NameSpace match From.NamespaceSelector
        ∧ S.Status.PodIP = Addr
    ◻︎ Peer.PodSelector ≠ NIL Peer.NamespaceSelector = Nil
    → ∃ S ∈ Pods:
        ∧ S.Labels match From.PodSelector
        ∧ S.NameSpace = Pol.Namespace
        ∧ S.Status.PodIP = Addr
    ◻︎ Peer.PodSelector = NIL Peer.NamespaceSelector ≠ Nil
    → ∃ S ∈ Pods:
        ∧ S.NameSpace = From.NamespaceSelector
        ∧ S.Status.PodIP = Addr
    ◻︎ Peer.PodSelector = NIL Peer.NamespaceSelector = Nil
    → ∧ sAddr ∈ as-set(From.IPBlock.CIDR)
      ∧ ∄ Except in From.IPBlock.Except
          Addr ∈ as-set(Except)

Implementation of Kubernetes network policy updates

Please visit Kubernetes Networking for a discussion of the Kubernetes Networking Model and the Conceptual Networking Model used throughout this blog post: In this model, a network is a Network Graph that consists of a set of Nodes and a set of Links between the Nodes: One Node may exchange a message with another Node if and only if there exists a link between the Nodes. A Node in the network is either a Process or a Switch. Processes produce and consume messages, Switches process messages according to their Forward Information Base (FIB). Kubernetes provides a Network Specification but Kubernetes does not provide a Network Implementation. In fact, many alternative implementations, called Network Plugins, exist today. In order to use Kubernetes Network Policies, that is, in order for the presence of a Network Policy Object to have the desired effects, the installed Network Plugin must support Network Policies.

An example of Kubernetes network policies

Figure 6. illustrates the example used in this section: A Kubernetes Cluster K₁ that consists of two Nodes. Each Node hosts two Pods. Each Pod resides in the default namespace and executes two Containers, one Container listening on port 8080, one Container listening on port 9090. In addition

• Pod P₁ has a labelset of {role: frontend}
• Pod P₂ has a labelset of {role: backend}

For this example, we will assume that following requirements:

• P₁ may receive traffic from any source
• P₁ may send traffic to P₂ only
• P₂ may receive traffic from P₁ only
• P₂ may send traffic to any target

Default deny

In order to restrict communication we must flip

• P₁’s Egress and
• P₂’s Ingress from Default Allow to Default Deny, that is, we must create
• an Egress Policy that selects P₁ and

• an Ingress Policy that selects P₂. P₃ and P₄ are not selected, therefore P₃’s and P₄’s Ingress and Egress are not affected.

# Default Deny P₁’s Egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: frontend-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: frontend
  policyTypes:
  - Egress
# Default Deny P₂’s Ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: backend
  policyTypes:
  - Ingress

The frontend-policy and backend-policy result in a network configuration that is equivalent to

• P₁’s FIB discarding all messages with a source address of P₁’s IP Address 10.0.0.1 and any target address other than its own.
• P₂’s FIB discarding all messages with a target address of P₂’s IP Address 10.0.0.2 and any source address other than its own.

Explicit allow

In order to allow communication from P₁ to P₂ we must flip

• P₁’s Egress to P₂ and
• P₂’s Ingress from P₁ from Default Deny to Explicilty Allow, that is, we must update
• frontend-policy and add an Egress Rule and
• backend-policy to add an Ingress Rule

# Explicitly Allow P₁’s Egress to P₂
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: frontend-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: frontend
  policyTypes:
  - Egress
  egress:
  - to:
    - podSelector:
        matchLabels:
          role: backend
# Explicitly Allow P₂’s Ingress from P₁
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: frontend

The frontend-policy and backend-policy result in a network configuration that is equivalent to

• P₁’s FIB discarding all messages with a source address of P₁’s IP Address 10.0.0.1 and any target address other than its own except if the target address is P₂’s IP Address and target port is 8080 or 9090.

• P₂’s FIB discarding all messages with a target address of P₂’s IP Address 10.0.0.2 and any source address other than its own except if the source address is P₁’s IP Address and target port is 8080 or 9090.

In conclusion, P₁ may receive messages from any source but may only send messages to P₂, while P₂ may only receive messages from P₁ but may send messages to any target. In combination, P₁ may exchange messages with P₂.

Employing the Kubernetes network policy for your clusters

The Kubernetes Networking Model guarantees that all Kubernetes Pods on a Kubernetes Cluster are able to communicate, that is, able to exchange messages. However, the Networking Semantics change in the presence of Networking Policies from Default Allow for all Pods to Default Deny for selected Pods with Explicit Allow. In a nutshell, for two Pods to communicate

• both Pods must be unselected or
• there must exist
  • a Network Policy that permits Egress from the source to the target and
  • a Network Policy that permits Ingress to the target from the source.

Looking for more on building an effective Kubernetes security framework? You can find out more about Kubernetes and multi-cloud security here at the Outshift blog.