From eb7458d0bd3566bd34acf4b34badc50438530035 Mon Sep 17 00:00:00 2001 From: Sebastien Flory Date: Wed, 30 Oct 2024 15:18:07 +0100 Subject: [PATCH] Add: network policies to create boundaries for proxies --- .../apply_infra_dust-kube-private.sh | 4 +- .../configmaps/proxy-configmap.yaml | 12 ++++- .../allow-same-namespace.yaml | 11 ---- .../default-deny-ingress.yaml | 8 --- .../network-policies/restrict-egress.yaml | 54 +++++++++++++++++++ .../network-policies/restrict-ingress.yaml | 37 +++++++++++++ 6 files changed, 103 insertions(+), 23 deletions(-) delete mode 100644 k8s/dust-kube-private/network-policies/allow-same-namespace.yaml delete mode 100644 k8s/dust-kube-private/network-policies/default-deny-ingress.yaml create mode 100644 k8s/dust-kube-private/network-policies/restrict-egress.yaml create mode 100644 k8s/dust-kube-private/network-policies/restrict-ingress.yaml diff --git a/k8s/dust-kube-private/apply_infra_dust-kube-private.sh b/k8s/dust-kube-private/apply_infra_dust-kube-private.sh index 92877af504cf..c9c83b4db9fe 100755 --- a/k8s/dust-kube-private/apply_infra_dust-kube-private.sh +++ b/k8s/dust-kube-private/apply_infra_dust-kube-private.sh @@ -37,5 +37,5 @@ echo "-----------------------------------" echo "Applying network policies" echo "-----------------------------------" -# kubectl apply -f "$(dirname "$0")/network-policies/allow-same-namespace.yaml" -# kubectl apply -f "$(dirname "$0")/network-policies/default-deny-ingress.yaml" +kubectl apply -f "$(dirname "$0")/network-policies/restrict-egress.yaml" +kubectl apply -f "$(dirname "$0")/network-policies/restrict-ingress.yaml" diff --git a/k8s/dust-kube-private/configmaps/proxy-configmap.yaml b/k8s/dust-kube-private/configmaps/proxy-configmap.yaml index 9a1945954c6a..4491811550ff 100644 --- a/k8s/dust-kube-private/configmaps/proxy-configmap.yaml +++ b/k8s/dust-kube-private/configmaps/proxy-configmap.yaml @@ -18,9 +18,17 @@ data: } http { - resolver 8.8.8.8 8.8.4.4 valid=300s; + resolver 8.8.8.8 8.8.4.4 valid=300s ipv6=off; + resolver_timeout 5s; - + + proxy_bind 0.0.0.0; # Force IPv4 + + proxy_connect_timeout 30s; + proxy_send_timeout 30s; + proxy_read_timeout 30s; + keepalive_timeout 30s; + server { listen 80; diff --git a/k8s/dust-kube-private/network-policies/allow-same-namespace.yaml b/k8s/dust-kube-private/network-policies/allow-same-namespace.yaml deleted file mode 100644 index 445d53864ace..000000000000 --- a/k8s/dust-kube-private/network-policies/allow-same-namespace.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-same-namespace -spec: - podSelector: {} - ingress: - - from: - - podSelector: {} - policyTypes: - - Ingress diff --git a/k8s/dust-kube-private/network-policies/default-deny-ingress.yaml b/k8s/dust-kube-private/network-policies/default-deny-ingress.yaml deleted file mode 100644 index 972155f2dba6..000000000000 --- a/k8s/dust-kube-private/network-policies/default-deny-ingress.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: default-deny-ingress -spec: - podSelector: {} - policyTypes: - - Ingress \ No newline at end of file diff --git a/k8s/dust-kube-private/network-policies/restrict-egress.yaml b/k8s/dust-kube-private/network-policies/restrict-egress.yaml new file mode 100644 index 000000000000..1583691eb591 --- /dev/null +++ b/k8s/dust-kube-private/network-policies/restrict-egress.yaml @@ -0,0 +1,54 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: restrict-egress + namespace: default +spec: + podSelector: {} # Applies to all pods + policyTypes: + - Egress + egress: + # Internal cluster communication + - to: + - ipBlock: + cidr: 10.11.0.0/17 # VPC CIDR - adjust as needed + + # DNS resolution + - to: + - namespaceSelector: {} + - ipBlock: + cidr: 8.8.8.8/32 # Google DNS primary + - ipBlock: + cidr: 8.8.4.4/32 # Google DNS secondary + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 + + # Kubernetes API access + - to: + - ipBlock: + cidr: 34.44.36.75/32 # Your control plane IP + ports: + - port: 443 + - port: 6443 + + # Allow metadata access for Cloud NAT + - to: + - ipBlock: + cidr: 169.254.169.254/32 # GCP metadata server + ports: + - protocol: TCP + port: 80 + +# Allow external internet access through Cloud NAT + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 10.0.0.0/8 # RFC1918 private ranges + - 172.16.0.0/12 + - 192.168.0.0/16 + - 169.254.0.0/16 # Link local + diff --git a/k8s/dust-kube-private/network-policies/restrict-ingress.yaml b/k8s/dust-kube-private/network-policies/restrict-ingress.yaml new file mode 100644 index 000000000000..223dddf30f6b --- /dev/null +++ b/k8s/dust-kube-private/network-policies/restrict-ingress.yaml @@ -0,0 +1,37 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: restrict-ingress + namespace: default +spec: + podSelector: {} # Applies to all pods + policyTypes: + - Ingress + ingress: + # Allow specific ports for external access + - ports: + - protocol: TCP + port: 80 + - protocol: TCP + port: 1080 + + # Kubernetes API Server access + - from: + - ipBlock: + cidr: 134.44.36.75/32 # Your control plane IP + ports: + - port: 10250 # kubelet metrics + - port: 9153 # kube-dns metrics + - port: 443 # kubernetes API server + + # Datadog Agent communication + - from: + - podSelector: + matchLabels: + name: datadog-agent + + ports: + - port: 10250 # kubelet + - port: 4194 # cadvisor + - port: 8125 # dogstatsd + - port: 8126 # trace agent