We would like to establish a clear, consice and easy to find networking policy for pods. This is the task for describing our options and choosing what we implement.
We could go forward with either a whitelist or a blacklist approach. For the rest of this task (and unless we radically change our approach) we assume we use a whitelist approach, that is we block everything that is not explicitly allowed.
Ideally this would
* Disallow any outgoing connections from a pod the service owner does not explicitly allow
* Disallow any incoming connection to a pod that the service owner does not explicitly allow
On a more pragmatic note, it probably makes sense to establish some defaults. For outgoing connections from the pods , those could be
[x] statsd
[] graphite
[x] logstash
[x] url-downloader
[x] our own API endpoints (action/REST api), with or without the caching layer involved.
[] EventBus
For incoming connections to the pods, those defaults could be
[] icinga
[] prometheus ?
[] LVS servers
The policy should be easy to find out both from the developers PoV as well as Ops PoV and should be reviewable. The operations/puppet repo sounds like a sane first attempt and we can always re-evaluate later on
**Result**: The outgoing connections are indeed filtered now, the incoming are really easy to do so on a per namespace basis by doing the following:
```
kubectl --kubeconfig kubeconfig.eqiad annotate ns <namespace> "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
```