Skip to content

Network

Ports

Control Plane

Port Process
6443/TCP kube-apiserver
2379-2380/TCP etcd
10250/TCP kubelet
10257/TCP kube-controller-manager
10259/TCP kube-scheduler

Worker Nodes

Port Process
10250/TCP kubelet
30000-32767/TCP NodePort Services

Network Communications

Network Policies

Issue
  • By default, Kubernetes does not restrict traffic between pods running inside the cluster
  • Any pod can connect to any other pod as there are no firewalls controlling the intra-cluster traffic
  • Applications can potentially communicate with outside clients (north-south traffic) as well as with other applications running within the cluster (east-west traffic)
Network Policies
  • By default, all kinds of ingress (incoming) and egress (outgoing) traffic are allowed, but you can control how pods are allowed to communicate by using network policies
  • Allow to configure how groups of pods are allowed to communicate with each other and other network endpoints
  • They create firewalls between pods running on a Kubernetes cluster
  • You cannot enforce policies for outgoing (egress) traffic from pods using this feature
  • If a pod is not matched by any network policies, all traffic is allowed to and from that pod

Controls

Component Description
Enable Network Policies Choose a network add-on that allows to leverage Network Policies (e.g., Calico or Canal)
Restrict Metadata API AWS/Azure/GCP pass configuration to nodes through a Metadata API
  • this can be the source of serious escalations
  • this can include critical information including the node's kubelet credentials
Restrict access to the Metadata API
  • with network policies that block traffic to the Metadata API for all pods that don’t explicitly need access
  • Azure and AWS both use the IP address 169.254.169.254
  • Google uses the domain name metadata.google.internal

Firewall Ports

  • Kubernetes processes like kubelet are opening a few ports on all network interfaces, which should be firewalled from public access
  • Those ports may "only" allow to query for sensitive information, but some of them allow straight full access to the cluster