This topic describes how to ensure network security by enforcing access control on services and encrypting data transmission.

Network policies

By default, pods can communicate with each other in a Kubernetes cluster. This poses security risks in production environments. Kubernetes network policies allow you to control traffic between pods and traffic between pods and external services. The traffic between pods refers to the east-west traffic. Network policies use pod selectors and labels to identify source pods and destination pods. In addition, you can specify IP addresses, ports, protocols, and a combination of them in network policies. When you use the Terway network plug-in, you can configure network policies for specific applications if you want to control network traffic at the IP address or port level. For more information, see Use network policies and Kubernetes Network Policy Recipes.

Notice Network policies may increase the loads of the API server in large-scale production environments. Proceed with caution when you use network policies.

Create a default network policy that denies all traffic

Similar to role-based access control (RBAC) policies, you must follow the principle of least privilege when you create network policies. You can create a default network policy that denies all inbound and outbound traffic from a namespace. You can also create a global network policy by using Calico.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Create a network policy that allows DNS queries

After you create the default network policy that denies all inbound and outbound traffic, you can create network policies for specific purposes. For example, you can create a global network policy that allows pods to send DNS queries to CoreDNS.

  1. Run the following command to add a label to a namespace:
    kubectl label namespace kube-system name=kube-system
  2. Create a network policy by using the following YAML template:
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: allow-dns-access
      namespace: default
    spec:
      podSelector:
        matchLabels: {}
      policyTypes:
      - Egress
      egress:
      - to:
        - namespaceSelector:
            matchLabels:
              name: kube-system
        ports:
        - protocol: UDP
          port: 53
    Notice For more information about how to control network traffic between pods by using Kubernetes network policies, see Official Documentation.
The following example describes how to associate a network policy with a service account named ali-sa. The following example also describes how to forbid a role named readonly-sa-role to modify the ali-sa service account in the default namespace. The role is associated with the readonly-sa-group RBAC group.
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ali-sa
  namespace: default
  labels:
    name: ali-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: readonly-sa-role
rules:
# Allows the user to read the ali-sa service account. 
- apiGroups: [""]
  resources: ["serviceaccounts"]
  resourceNames: ["ali-sa"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: default
  name: readonly-sa-rolebinding
# Associates the readonly-sa-role role with an RBAC group named readonly-sa-group. 
subjects:
- kind: Group
  name: readonly-sa-group
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: readonly-sa-role
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
  name: netpol-sa-demo
  namespace: default
# Allows inbound traffic to services in the default namespace. 
# Specifies the service account that is named ali-sa. 
spec:
  ingress:
    - action: Allow
      source:
        serviceAccounts:
          selector: 'name == "ali-sa"'
  selector: all()

Add custom rules to allow traffic between specific pods in a namespace

After you can create a network policy that allows communication between pods in a namespace, you can add custom rules to limit communication between specific pods in the namespace. For more information, see Kubernetes Network Policy Recipes.

Monitor and analyze traffic data

Alibaba Cloud Virtual Private Cloud (VPC) provides flow logs that record information about inbound and outbound traffic of elastic network interfaces (ENIs). Flow logs help verify access control list (ACL) rules, monitor network traffic, and troubleshoot network issues. You can identify abnormal traffic between resources (including pods) in a VPC by analyzing flow logs. For more information, see Overview.

Security groups

ACK uses security groups to manage traffic between master nodes and worker nodes. You can also use security groups to manage traffic between worker nodes, other VPC resources, and external IP addresses. When you create an ACK cluster, the system automatically creates a security group for the cluster. The security group allows communication among nodes within the cluster. You can add inbound and outbound rules to the security group based on the settings in the following table to enforce the principle of least privilege.

Rule type Protocol Port range Source Destination
Inbound rule for least privilege (from the control plane and other nodes) TCP or protocols that you want to use for communication between nodes 443, 10250, or ports that you want to use for communication between nodes Cluster security group N/A
Recommended inbound rule ALL/TCP ALL/443, 1025-65535 Cluster security group N/A
Outbound rule for least privilege TCP 443 N/A Cluster security group
Recommended outbound rule ALL ALL N/A 0.0.0.0/0

For more information, see Use cases of ECS security groups and Configure a security group.

Encrypt data transmission

Use AHAS to throttle traffic for an ASM instance
  • Alibaba Cloud Service Mesh (ASM)

    ASM can encrypt data transmitted among services. In addition to mutual Transport Layer Security (mTLS) authentication, you can use Envoy Secret Discovery Service (SDS) to enhance the security of service gateways with HTTPS support and dynamic certificate loading. You can use ASM with Application High Availability Service (AHAS) to manage traffic of applications that are deployed in ASM instances. ASM is integrated with Tracing Analysis to provide capabilities for distributed application developers, such as trace mapping, service call counting, trace topology, and application dependency analysis. Developers can use these capabilities to identify and diagnose performance bottlenecks in a distributed application architecture and make development and diagnostics more efficient.

  • Use a Secret to configure TLS to enable HTTPS access

    You must enable HTTPS access for services that are exposed by Ingresses in clusters. For more information, see Use a Secret to configure TLS to enable HTTPS access.