Published on 00/00/0000
Last updated on 00/00/0000
Published on 00/00/0000
Last updated on 00/00/0000
Share
INSIGHTS
8 min read
Published on 02/08/2021
Last updated on 06/18/2024
Inside Kubernetes network policy
Share
The Kubernetes Networking Model guarantees that all Kubernetes Pods on a Kubernetes Cluster are able to communicate, that is, able to exchange messages. However, the Networking Semantics change in the presence of Networking Policies from Default Allow for all Pods to Default Deny for selected Pods with Explicit Allow: 
Default allow
The Kubernetes Network permits all incoming and outgoing messages to and from any Pod per default.
Default deny
However, if there exists some Network Policy selecting a Pod, the Kubernetes Network prohibits all incoming and outgoing messages to and from the Pod per default.
Explicit allow
Then, if there exists some Network Policy selecting a Pod and some rule of the Network Policy allowing Ingress or Egress, the Kubernetes Network permits matching incoming and outgoing messages to and from the Pod.
K8s networking policies
Kubernetes Networking Policies are a core abstraction of Kubernetes: Per Pod, Network Policies determine if an incoming (Ingress) or outgoing (Egress) message is permitted or prohibited by the Kubernetes Network. 
Not this
Since Kubernetes Pods are arguably the core abstraction of Kubernetes, one may reasonably conclude that Kubernetes Network Policies express allowed traffic flow holistically in terms of Pods e.g. in terms of a set of Pods, the possible source, and a set of Pods, the possible target. 
However, this is not how Network Policies work.
But that
A Kubernetes Network Policy determines whether an incoming or outgoing message is either permitted or prohibited. For two Pods to communicate
- both Pods must be unselected or
- there must exist
- a Network Policy that permits Egress from the source to the target and
- a Network Policy that permits Ingress to the target from the source.
K8s networking policies: Formal description
A Kubernetes Network Policy Object may be classified as an Ingress or Egress Policy. Note that a Kubernetes Network Policy Object may be an Ingress and Egress Policy at the same time:
Ingress-Policies ≝
{P ∈ Policies : "Ingress" ∈ as-set(Pol.Spec.PolicyType)}
Egress-Policies ≝
{P ∈ Policies : "Egress" ∈ as-set(Pol.Spec.PolicyType)}As the names imply
- Ingress Policies default to deny and explicitly allow incoming messages
- Egress Policies default to deny and explicitly allow outgoing messages of selected Pods.
- Ingress of a Pod is restricted if there is at least one Ingress Network Policy that selects that Pod.
- Egress of a Pod is restricted if there is at least one Ingress Network Policy that selects that Pod.
IngressRestricted(Pod) ≝
∃ Pol ∈ Ingress-Policies:
Pod.Labels match Pol.Spec.PodSelector
EgressRestricted(Pod) ≝
∃ Pol ∈ Egress-Policies:
Pod.Labels match Pol.Spec.PodSelectorIngress to a Pod is allowed if the Pod is not restricted or if the Pod is restricted but there exists an Ingress Rule that explicitly allows Ingress to this Pod.
Egress from a Pod is allowed if the Pod is not restricted or if the Pod is restricted but there exists an Egress Rule that explicitly allows Egress from this Pod.
IngressAllowed(Pod, (sAddr, sPort, tAddr, tPort, Proto)) ≝
IngressRestricted(Pod)
⟹
∃ Pol ∈ Ingress-Policies:
∧ Pod.Labels match Pol.Spec.PodSelector
∧ ∃ Rule ∈ Pol.Spec.Ingress:
∧ ∃ Peer ∈ Rule.From:
PeerAllowed
(Peer, sAddr)
# if no port is specified all ports and protocols are allowed
∧ Rule.Ports ≠ ∅
⟹
∃ Port ∈ Rule.Ports:
∧ Port.Protocol = Proto
∧ Port.Port match tPort
EgressAllowed(Pod, (sAddr, sPort, tAddr, tPort, Proto)) ≝
EgressRestricted(Pod)
⟹
∃ Pol ∈ Egress-Policies:
∧ Pod.Labels match Pol.Spec.PodSelector
∧ ∃ Rule ∈ Pol.Spec.Egress:
∧ ∃ Peer ∈ Rule.To:
PeerAllowed
(Peer, tAddr)
# if no port is specified all ports and protocols are allowed
∧ Rule.Ports ≠ ∅
⟹
∃ Port ∈ Rule.Ports:
∧ Port.Protocol = Proto
∧ Port.Port match tPortAn Ingress Policy selects its peers based on the Source Address of the incoming message,
an Egress Policy selects its peers based on the Target Address of the outgoing message, however both follow the same logic.
PeerAllowed(Peer, Addr) ≝
CASE Peer.PodSelector ≠ NIL Peer.NamespaceSelector ≠ Nil
→ ∃ S ∈ Pods:
∧ S.Labels match From.PodSelector
∧ S.NameSpace match From.NamespaceSelector
∧ S.Status.PodIP = Addr
◻︎ Peer.PodSelector ≠ NIL Peer.NamespaceSelector = Nil
→ ∃ S ∈ Pods:
∧ S.Labels match From.PodSelector
∧ S.NameSpace = Pol.Namespace
∧ S.Status.PodIP = Addr
◻︎ Peer.PodSelector = NIL Peer.NamespaceSelector ≠ Nil
→ ∃ S ∈ Pods:
∧ S.NameSpace = From.NamespaceSelector
∧ S.Status.PodIP = Addr
◻︎ Peer.PodSelector = NIL Peer.NamespaceSelector = Nil
→ ∧ sAddr ∈ as-set(From.IPBlock.CIDR)
∧ ∄ Except in From.IPBlock.Except
Addr ∈ as-set(Except)Implementation of Kubernetes network policy updates
Please visit Kubernetes Networking for a discussion of the Kubernetes Networking Model and the Conceptual Networking Model used throughout this blog post: In this model, a network is a Network Graph that consists of a set of Nodes and a set of Links between the Nodes: One Node may exchange a message with another Node if and only if there exists a link between the Nodes. A Node in the network is either a Process or a Switch. Processes produce and consume messages, Switches process messages according to their Forward Information Base (FIB). Kubernetes provides a Network Specification but Kubernetes does not provide a Network Implementation. In fact, many alternative implementations, called Network Plugins, exist today. In order to use Kubernetes Network Policies, that is, in order for the presence of a Network Policy Object to have the desired effects, the installed Network Plugin must support Network Policies.
An example of Kubernetes network policies
Figure 6. illustrates the example used in this section: A Kubernetes Cluster K₁ that consists of two Nodes. Each Node hosts two Pods. Each Pod resides in the default namespace and executes two Containers, one Container listening on port 8080, one Container listening on port 9090. In addition
- Pod P₁ has a labelset of {role: frontend}
- Pod P₂ has a labelset of {role: backend}
For this example, we will assume that following requirements:
- P₁ may receive traffic from any source
- P₁ may send traffic to P₂ only
- P₂ may receive traffic from P₁ only
- P₂ may send traffic to any target
Default deny
In order to restrict communication we must flip
- P₁’s Egress and
- P₂’s Ingress from Default Allow to Default Deny, that is, we must create
- an Egress Policy that selects P₁ and
an Ingress Policy that selects P₂. P₃ and P₄ are not selected, therefore P₃’s and P₄’s Ingress and Egress are not affected.
# Default Deny P₁’s Egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend-policy
namespace: default
spec:
podSelector:
matchLabels:
role: frontend
policyTypes:
- Egress
# Default Deny P₂’s Ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-policy
namespace: default
spec:
podSelector:
matchLabels:
role: backend
policyTypes:
- IngressThe frontend-policy and backend-policy result in a network configuration that is equivalent to
- P₁’s FIB discarding all messages with a source address of P₁’s IP Address 10.0.0.1 and any target address other than its own.
- P₂’s FIB discarding all messages with a target address of P₂’s IP Address 10.0.0.2 and any source address other than its own.
Explicit allow
In order to allow communication from P₁ to P₂ we must flip
- P₁’s Egress to P₂ and
- P₂’s Ingress from P₁ from Default Deny to Explicilty Allow, that is, we must update
- frontend-policy and add an Egress Rule and
- backend-policy to add an Ingress Rule
# Explicitly Allow P₁’s Egress to P₂
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend-policy
namespace: default
spec:
podSelector:
matchLabels:
role: frontend
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
role: backend
# Explicitly Allow P₂’s Ingress from P₁
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-policy
namespace: default
spec:
podSelector:
matchLabels:
role: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
role: frontendThe frontend-policy and backend-policy result in a network configuration that is equivalent to
P₁’s FIB discarding all messages with a source address of P₁’s IP Address 10.0.0.1 and any target address other than its own except if the target address is P₂’s IP Address and target port is 8080 or 9090.
P₂’s FIB discarding all messages with a target address of P₂’s IP Address 10.0.0.2 and any source address other than its own except if the source address is P₁’s IP Address and target port is 8080 or 9090.
In conclusion, P₁ may receive messages from any source but may only send messages to P₂, while P₂ may only receive messages from P₁ but may send messages to any target. In combination, P₁ may exchange messages with P₂.
Employing the Kubernetes network policy for your clusters
The Kubernetes Networking Model guarantees that all Kubernetes Pods on a Kubernetes Cluster are able to communicate, that is, able to exchange messages. However, the Networking Semantics change in the presence of Networking Policies from Default Allow for all Pods to Default Deny for selected Pods with Explicit Allow. In a nutshell, for two Pods to communicate
- both Pods must be unselected or
- there must exist
- a Network Policy that permits Egress from the source to the target and
- a Network Policy that permits Ingress to the target from the source.
Looking for more on building an effective Kubernetes security framework? You can find out more about Kubernetes and multi-cloud security here at the Outshift blog.
Subscribe to
the Shift!
Get emerging insights on innovative technology straight to your inbox.
