Outshift Logo

INSIGHTS

9 min read

Blog thumbnail
Published on 02/08/2021
Last updated on 03/21/2024

Inside Kubernetes Network Policy

Share

The Kubernetes Networking Model guarantees that all Kubernetes Pods on a Kubernetes Cluster are able to communicate, that is, able to exchange messages. However, the Networking Semantics change in the presence of Networking Policies from Default Allow for all Pods to Default Deny for selected Pods with Explicit Allow: Kubernetes Networking Model

Default Allow

The Kubernetes Network permits all incoming and outgoing messages to and from any Pod per default.

Default Deny

However, if there exists some Network Policy selecting a Pod, the Kubernetes Network prohibits all incoming and outgoing messages to and from the Pod per default.

Explicit Allow

Then, if there exists some Network Policy selecting a Pod and some rule of the Network Policy allowing Ingress or Egress, the Kubernetes Network permits matching incoming and outgoing messages to and from the Pod.

K8s Networking Policies

Kubernetes Networking Policies are a core abstraction of Kubernetes: Per Pod, Network Policies determine if an incoming (Ingress) or outgoing (Egress) message is permitted or prohibited by the Kubernetes Network. K8s Networking Policies

Not this

Since Kubernetes Pods are arguably the core abstraction of Kubernetes, one may reasonably conclude that Kubernetes Network Policies express allowed traffic flow holistically in terms of Pods e.g. in terms of a set of Pods, the possible source, and a set of Pods, the possible target. Kubernetes Network Policies express However, this is not how Network Policies work.

But that

A Kubernetes Network Policy determines whether an incoming or outgoing message is either permitted or prohibited. For two Pods to communicate
  • both Pods must be unselected or
  • there must exist
    • a Network Policy that permits Egress from the source to the target and
    • a Network Policy that permits Ingress to the target from the source.
Kubernetes Network Policy determines

K8s Networking Policies ● Formal Description

K8s Networking Policies_Formal Description A Kubernetes Network Policy Object may be classified as an Ingress or Egress Policy. Note that a Kubernetes Network Policy Object may be an Ingress and Egress Policy at the same time:
Ingress-Policies ≝
  {P ∈ Policies : "Ingress" ∈ as-set(Pol.Spec.PolicyType)}
Egress-Policies ≝
  {P ∈ Policies : "Egress" ∈ as-set(Pol.Spec.PolicyType)}
As the names imply
  • Ingress Policies default to deny and explicitly allow incoming messages
  • Egress Policies default to deny and explicitly allow outgoing messages of selected Pods.
  • Ingress of a Pod is restricted if there is at least one Ingress Network Policy that selects that Pod.
  • Egress of a Pod is restricted if there is at least one Ingress Network Policy that selects that Pod.
IngressRestricted(Pod) ≝
  ∃ Pol ∈ Ingress-Policies:
    Pod.Labels match Pol.Spec.PodSelector
EgressRestricted(Pod) ≝
  ∃ Pol ∈ Egress-Policies:
    Pod.Labels match Pol.Spec.PodSelector
  • Ingress to a Pod is allowed if the Pod is not restricted or if the Pod is restricted but there exists an Ingress Rule that explicitly allows Ingress to this Pod.
  • Egress from a Pod is allowed if the Pod is not restricted or if the Pod is restricted but there exists an Egress Rule that explicitly allows Egress from this Pod.
IngressAllowed(Pod, (sAddr, sPort, tAddr, tPort, Proto)) ≝
 IngressRestricted(Pod)
  ⟹
   ∃ Pol ∈ Ingress-Policies:
     ∧ Pod.Labels match Pol.Spec.PodSelector
     ∧ ∃ Rule ∈ Pol.Spec.Ingress:
       ∧ ∃ Peer ∈ Rule.From:
           PeerAllowed
             (Peer, sAddr)
       # if no port is specified all ports and protocols are allowed
       ∧ Rule.Ports ≠ ∅
          ⟹
           ∃ Port ∈ Rule.Ports:
             ∧ Port.Protocol = Proto
             ∧ Port.Port match tPort
EgressAllowed(Pod, (sAddr, sPort, tAddr, tPort, Proto)) ≝
 EgressRestricted(Pod)
  ⟹
   ∃ Pol ∈ Egress-Policies:
     ∧ Pod.Labels match Pol.Spec.PodSelector
     ∧ ∃ Rule ∈ Pol.Spec.Egress:
       ∧ ∃ Peer ∈ Rule.To:
           PeerAllowed
             (Peer, tAddr)
       # if no port is specified all ports and protocols are allowed
       ∧ Rule.Ports ≠ ∅
          ⟹
           ∃ Port ∈ Rule.Ports:
             ∧ Port.Protocol = Proto
             ∧ Port.Port match tPort
  • An Ingress Policy selects its peers based on the Source Address of the incoming message,
  • an Egress Policy selects its peers based on the Target Address of the outgoing message, however both follow the same logic.
    PeerAllowed(Peer, Addr) ≝
     CASE Peer.PodSelector ≠ NIL Peer.NamespaceSelector ≠ Nil
        → ∃ S ∈ Pods:
            ∧ S.Labels match From.PodSelector
            ∧ S.NameSpace match From.NamespaceSelector
            ∧ S.Status.PodIP = Addr
        ◻︎ Peer.PodSelector ≠ NIL Peer.NamespaceSelector = Nil
        → ∃ S ∈ Pods:
            ∧ S.Labels match From.PodSelector
            ∧ S.NameSpace = Pol.Namespace
            ∧ S.Status.PodIP = Addr
        ◻︎ Peer.PodSelector = NIL Peer.NamespaceSelector ≠ Nil
        → ∃ S ∈ Pods:
            ∧ S.NameSpace = From.NamespaceSelector
            ∧ S.Status.PodIP = Addr
        ◻︎ Peer.PodSelector = NIL Peer.NamespaceSelector = Nil
        → ∧ sAddr ∈ as-set(From.IPBlock.CIDR)
          ∧ ∄ Except in From.IPBlock.Except
              Addr ∈ as-set(Except)

    Implementation

    Please visit Kubernetes Networking for a discussion of the Kubernetes Networking Model and the Conceptual Networking Model used throughout this blog post: In this model, a network is a Network Graph that consists of a set of Nodes and a set of Links between the Nodes: One Node may exchange a message with another Node if and only if there exists a link between the Nodes. A Node in the network is either a Process or a Switch. Processes produce and consume messages, Switches process messages according to their Forward Information Base (FIB). Kubernetes provides a Network Specification but Kubernetes does not provide a Network Implementation. In fact, many alternative implementations, called Network Plugins, exist today. In order to use Kubernetes Network Policies, that is, in order for the presence of a Network Policy Object to have the desired effects, the installed Network Plugin must support Network Policies.

    Example

    Kubernetes Network Policies_example Figure 6. illustrates the example used in this section: A Kubernetes Cluster K₁ that consists of two Nodes. Each Node hosts two Pods. Each Pod resides in the default namespace and executes two Containers, one Container listening on port 8080, one Container listening on port 9090. In addition
    • Pod P₁ has a labelset of {role: frontend}
    • Pod P₂ has a labelset of {role: backend}
    For this example, we will assume that following requirements:
    • P₁ may receive traffic from any source
    • P₁ may send traffic to P₂ only
    • P₂ may receive traffic from P₁ only
    • P₂ may send traffic to any target

    Default Deny

    In order to restrict communication we must flip
    • P₁’s Egress and
    • P₂’s Ingress from Default Allow to Default Deny, that is, we must create
    • an Egress Policy that selects P₁ and
    • an Ingress Policy that selects P₂. P₃ and P₄ are not selected, therefore P₃’s and P₄’s Ingress and Egress are not affected.
    # Default Deny P₁’s Egress
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: frontend-policy
      namespace: default
    spec:
      podSelector:
        matchLabels:
          role: frontend
      policyTypes:
      - Egress
    # Default Deny P₂’s Ingress
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: backend-policy
      namespace: default
    spec:
      podSelector:
        matchLabels:
          role: backend
      policyTypes:
      - Ingress
    The frontend-policy and backend-policy result in a network configuration that is equivalent to
    • P₁’s FIB discarding all messages with a source address of P₁’s IP Address 10.0.0.1 and any target address other than its own.
    • P₂’s FIB discarding all messages with a target address of P₂’s IP Address 10.0.0.2 and any source address other than its own.
    frontend-policy and backend-policy

    Explicit Allow

    In order to allow communication from P₁ to P₂ we must flip
    • P₁’s Egress to P₂ and
    • P₂’s Ingress from P₁ from Default Deny to Explicilty Allow, that is, we must update
    • frontend-policy and add an Egress Rule and
    • backend-policy to add an Ingress Rule
    # Explicitly Allow P₁’s Egress to P₂
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: frontend-policy
      namespace: default
    spec:
      podSelector:
        matchLabels:
          role: frontend
      policyTypes:
      - Egress
      egress:
      - to:
        - podSelector:
            matchLabels:
              role: backend
    # Explicitly Allow P₂’s Ingress from P₁
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: backend-policy
      namespace: default
    spec:
      podSelector:
        matchLabels:
          role: backend
      policyTypes:
      - Ingress
      ingress:
      - from:
        - podSelector:
            matchLabels:
              role: frontend
    The frontend-policy and backend-policy result in a network configuration that is equivalent to
    • P₁’s FIB discarding all messages with a source address of P₁’s IP Address 10.0.0.1 and any target address other than its own except if the target address is P₂’s IP Address and target port is 8080 or 9090.
    • P₂’s FIB discarding all messages with a target address of P₂’s IP Address 10.0.0.2 and any source address other than its own except if the source address is P₁’s IP Address and target port is 8080 or 9090. frontend-policy and backend-policy result in a network configuration
    In conclusion, P₁ may receive messages from any source but may only send messages to P₂, while P₂ may only receive messages from P₁ but may send messages to any target. In combination, P₁ may exchange messages with P₂.

    Conclusion

    The Kubernetes Networking Model guarantees that all Kubernetes Pods on a Kubernetes Cluster are able to communicate, that is, able to exchange messages. However, the Networking Semantics change in the presence of Networking Policies from Default Allow for all Pods to Default Deny for selected Pods with Explicit Allow. In a nutshell, for two Pods to communicate
    • both Pods must be unselected or
    • there must exist
      • a Network Policy that permits Egress from the source to the target and
      • a Network Policy that permits Ingress to the target from the source.
    Subscribe card background
    Subscribe
    Subscribe to
    the Shift!

    Get emerging insights on emerging technology straight to your inbox.

    Unlocking Multi-Cloud Security: Panoptica's Graph-Based Approach

    Discover why security teams rely on Panoptica's graph-based technology to navigate and prioritize risks across multi-cloud landscapes, enhancing accuracy and resilience in safeguarding diverse ecosystems.

    thumbnail
    I
    Subscribe
    Subscribe
 to
    the Shift
    !
    Get
    emerging insights
    on emerging technology straight to your inbox.

    The Shift keeps you at the forefront of cloud native modern applications, application security, generative AI, quantum computing, and other groundbreaking innovations that are shaping the future of technology.

    Outshift Background