This topic describes how to ensure network security by enforcing access control on services and encrypting data transmission.
Network policies
By default, pods can communicate with each other in a Kubernetes cluster. This poses
security risks in production environments. Kubernetes network policies allow you to control traffic between pods and traffic between pods and external services.
The traffic between pods refers to the east-west traffic. Network policies use pod
selectors and labels to identify source pods and destination pods. In addition, you
can specify IP addresses, ports, protocols, and a combination of them in network policies.
When you use the Terway network plug-in, you can configure network policies for specific
applications if you want to control network traffic at the IP address or port level.
For more information, see Use network policies and Kubernetes Network Policy Recipes.
Create a default network policy that denies all traffic
role-based access control (RBAC) policies, you must follow the principle of least privilege when you create network policies. You can create a default network policy that denies all inbound and outbound traffic
from a namespace. You can also create a global network policy by using Calico. apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- EgressCreate a network policy that allows DNS queries
After you create the default network policy that denies all inbound and outbound traffic, you can create network policies for specific purposes. For example, you can create a global network policy that allows pods to send DNS queries to CoreDNS.
apiVersion: v1
kind: ServiceAccount
metadata:
name: ali-sa
namespace: default
labels:
name: ali-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: readonly-sa-role
rules:
# Allows the user to read the ali-sa service account.
- apiGroups: [""]
resources: ["serviceaccounts"]
resourceNames: ["ali-sa"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: default
name: readonly-sa-rolebinding
# Associates the readonly-sa-role role with an RBAC group named readonly-sa-group.
subjects:
- kind: Group
name: readonly-sa-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: readonly-sa-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
name: netpol-sa-demo
namespace: default
# Allows inbound traffic to services in the default namespace.
# Specifies the service account that is named ali-sa.
spec:
ingress:
- action: Allow
source:
serviceAccounts:
selector: 'name == "ali-sa"'
selector: all()Add custom rules to allow traffic between specific pods in a namespace
After you can create a network policy that allows communication between pods in a namespace, you can add custom rules to limit communication between specific pods in the namespace. For more information, see Kubernetes Network Policy Recipes.
Monitor and analyze traffic data
Alibaba Cloud Virtual Private Cloud (VPC) provides flow logs that record information about inbound and outbound traffic of elastic network interfaces (ENIs). Flow logs help verify access control list (ACL) rules, monitor network traffic, and troubleshoot network issues. You can identify abnormal traffic between resources (including pods) in a VPC by analyzing flow logs. For more information, see Overview.
Security groups
ACK uses security groups to manage traffic between master nodes and worker nodes. You can also use security groups to manage traffic between worker nodes, other VPC resources, and external IP addresses. When you create an ACK cluster, the system automatically creates a security group for the cluster. The security group allows communication among nodes within the cluster. You can add inbound and outbound rules to the security group based on the settings in the following table to enforce the principle of least privilege.
| Rule type | Protocol | Port range | Source | Destination |
|---|---|---|---|---|
| Inbound rule for least privilege (from the control plane and other nodes) | TCP or protocols that you want to use for communication between nodes | 443, 10250, or ports that you want to use for communication between nodes | Cluster security group | N/A |
| Recommended inbound rule | ALL/TCP | ALL/443, 1025-65535 | Cluster security group | N/A |
| Outbound rule for least privilege | TCP | 443 | N/A | Cluster security group |
| Recommended outbound rule | ALL | ALL | N/A | 0.0.0.0/0 |
For more information, see Use cases of ECS security groups and Configure a security group.
Encrypt data transmission
Use AHAS to throttle traffic for an ASM instance- Alibaba Cloud Service Mesh (ASM)
ASM can encrypt data transmitted among services. In addition to mutual Transport Layer Security (mTLS) authentication, you can use Envoy Secret Discovery Service (SDS) to enhance the security of service gateways with HTTPS support and dynamic certificate loading. You can use ASM with Application High Availability Service (AHAS) to manage traffic of applications that are deployed in ASM instances. ASM is integrated with Tracing Analysis to provide capabilities for distributed application developers, such as trace mapping, service call counting, trace topology, and application dependency analysis. Developers can use these capabilities to identify and diagnose performance bottlenecks in a distributed application architecture and make development and diagnostics more efficient.
- Use a Secret to configure TLS to enable HTTPS access
You must enable HTTPS access for services that are exposed by Ingresses in clusters. For more information, see Use a Secret to configure TLS to enable HTTPS access.