Page MenuHomePhabricator
Create Task
Maniphest T362539

[api-gateway] Explore using network policies to further secure traffic between toolforge api-gateway router and backends
Open, MediumPublic
Actions

Description

In order to provide an additional layer of security from issues like T362525, we should check if we can use network policies to only permit incoming traffic to the backends from the api-gateway namespace.

Related Objects

Event Timeline

taavi created this task.Mon, Apr 15, 3:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMon, Apr 15, 3:06 PM
aborrero added a project: User-aborrero.Mon, Apr 15, 3:09 PM
aborrero subscribed.
dcaro triaged this task as Medium priority.Mon, Apr 15, 3:16 PM
dcaro moved this task from Backlog to Ready to be worked on on the Toolforge board.
Slst2020 subscribed.Mon, Apr 15, 3:48 PM

https://kubernetes.io/docs/concepts/services-networking/network-policies/#targeting-multiple-namespaces-by-label

In this scenario, your Egress NetworkPolicy targets more than one namespace using their label names. For this to work, you need to label the target namespaces. For example:

kubectl label namespace frontend namespace=frontend
kubectl label namespace backend namespace=backend

Add the labels under namespaceSelector in your NetworkPolicy document. For example:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: egress-namespaces
spec:
  podSelector:
    matchLabels:
      app: myapp
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchExpressions:
        - key: namespace
          operator: In
          values: ["frontend", "backend"]

https://kubernetes.io/docs/concepts/services-networking/network-policies/#targeting-a-namespace-by-its-name

The Kubernetes control plane sets an immutable label kubernetes.io/metadata.name on all namespaces, the value of the label is the namespace name.

While NetworkPolicy cannot target a namespace by its name with some object field, you can use the standardized label to target a specific namespace.

dcaro subscribed.Tue, Apr 16, 2:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL