Network

Network Communications

Network Policies

Issue:

• By default, Kubernetes does not restrict traffic between pods running inside the cluster
• Any pod can connect to any other pod as there are no firewalls controlling the intra-cluster traffic
• Applications can potentially communicate with outside clients (north-south traffic) as well as with other applications running within the cluster (east-west traffic)

Network Policies:

• By default, all kinds of ingress (incoming) and egress (outgoing) traffic are allowed, but you can control how pods are allowed to communicate by using network policies
• Allow to configure how groups of pods are allowed to communicate with each other and other network endpoints
• They create firewalls between pods running on a Kubernetes cluster
• You cannot enforce policies for outgoing (egress) traffic from pods using this feature
• If a pod is not matched by any network policies, all traffic is allowed to and from that pod

Controls

Component	Description
Enable Network Policies	✅ Choose a network add-on that allows to leverage Network Policies (e.g., Calico or Canal) kubernetes-network-policy-recipes: example recipes for Kubernetes Network Policies that you can just copy paste
Restrict Metadata API	❌ AWS/Azure/GCP pass configuration to nodes through a Metadata API this can be the source of serious escalations this can include critical information including the node's kubelet credentials ✅ Restrict access to the Metadata API with network policies that block traffic to the Metadata API for all pods that don’t explicitly need access Azure and AWS both use the IP address 169.254.169.254 Google uses the domain name metadata.google.internal

Firewall Ports

• Kubernetes processes like kubelet are opening a few ports on all network interfaces, which should be firewalled from public access
• Those ports may "only" allow to query for sensitive information, but some of them allow straight full access to the cluster

Port	Process	Description
10250/TCP	kubelet	[LEGACY] API which allows full node access
10255/TCP	kubelet	[LEGACY] Unauthenticated read-only port, allowing access to node state
6443/TCP	kube-apiserver	Kubernetes API port
10256/TCP	kube-proxy	Health check server for kube-proxy
10257/TCP	kube-controller-manager	HTTPS authentication and authorization for kube-controller-manager
10258/TCP	cloud-controller-manager
2379/TCP	etcd	The API interface is accessible and not secured by default
4149/TCP	cAdvisor	Default cAdvisor port used to query container metrics
30000/TCP	dashboard	Dashboard port
9099/TCP	calico-felix	Health check server for Calico (if using Calico/Canal)