Change Details

We would like to establish a clear, consice and easy to find networking policy for pods. This is the task for describing our options and choosing what we implement. We could go forward with either a whitelist or a blacklist approach. For the rest of this task (and unless we radically change our approach) we assume we use a whitelist approach, that is we block everything that is not explicitly allowed. Ideally this would [] Disallow any outgoing connections from a pod the service owner does not explicitly allow [] Disallow any incoming connection to a pod that the service owner does not explicitly allow On a more pragmatic note, it probably makes sense to establish some defaults. For outgoing connections from the pods , those could be [] statsd [] graphite [] logstash [] url-downloader [] our own API endpoints (action/REST api), with or without the caching layer involved. [] EventBus For incoming connections to the pods, those defaults could be [] icinga [] prometheus ? [] LVS servers The policy should be easy to find out both from the developers PoV as well as Ops PoV and should be reviewable. The operations/puppet repo sounds like a sane first attempt and we can always re-evaluate later on

We would like to establish a clear, consice and easy to find networking policy for pods. This is the task for describing our options and choosing what we implement. We could go forward with either a whitelist or a blacklist approach. For the rest of this task (and unless we radically change our approach) we assume we use a whitelist approach, that is we block everything that is not explicitly allowed. Ideally this would * Disallow any outgoing connections from a pod the service owner does not explicitly allow * Disallow any incoming connection to a pod that the service owner does not explicitly allow On a more pragmatic note, it probably makes sense to establish some defaults. For outgoing connections from the pods , those could be [x] statsd [] graphite [x] logstash [x] url-downloader [x] our own API endpoints (action/REST api), with or without the caching layer involved. [] EventBus For incoming connections to the pods, those defaults could be [] icinga [] prometheus ? [] LVS servers The policy should be easy to find out both from the developers PoV as well as Ops PoV and should be reviewable. The operations/puppet repo sounds like a sane first attempt and we can always re-evaluate later on **Result**: The outgoing connections are indeed filtered now, the incoming are really easy to do so on a per namespace basis by doing the following: ``` kubectl --kubeconfig kubeconfig.eqiad annotate ns <namespace> "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" ```

We would like to establish a clear, consice and easy to find networking policy for pods. This is the task for describing our options and choosing what we implement. We could go forward with either a whitelist or a blacklist approach. For the rest of this task (and unless we radically change our approach) we assume we use a whitelist approach, that is we block everything that is not explicitly allowed. Ideally this would []* Disallow any outgoing connections from a pod the service owner does not explicitly allow []* Disallow any incoming connection to a pod that the service owner does not explicitly allow On a more pragmatic note, it probably makes sense to establish some defaults. For outgoing connections from the pods , those could be [x] statsd [] graphite [x] logstash [x] url-downloader [x] our own API endpoints (action/REST api), with or without the caching layer involved. [] EventBus For incoming connections to the pods, those defaults could be [] icinga [] prometheus ? [] LVS servers The policy should be easy to find out both from the developers PoV as well as Ops PoV and should be reviewable. The operations/puppet repo sounds like a sane first attempt and we can always re-evaluate later on **Result**: The outgoing connections are indeed filtered now, the incoming are really easy to do so on a per namespace basis by doing the following: ``` kubectl --kubeconfig kubeconfig.eqiad annotate ns <namespace> "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" ```