Network
Network Communications¶
Network Policies¶
- Issue:
-
- By default, Kubernetes does not restrict traffic between pods running inside the cluster
- Any pod can connect to any other pod as there are no firewalls controlling the intra-cluster traffic
- Applications can potentially communicate with outside clients (north-south traffic) as well as with other applications running within the cluster (east-west traffic)
- Network Policies:
-
- By default, all kinds of ingress (incoming) and egress (outgoing) traffic are allowed, but you can control how pods are allowed to communicate by using network policies
- Allow to configure how groups of pods are allowed to communicate with each other and other network endpoints
- They create firewalls between pods running on a Kubernetes cluster
- You cannot enforce policies for outgoing (egress) traffic from pods using this feature
- If a pod is not matched by any network policies, all traffic is allowed to and from that pod
Controls¶
Component | Description |
---|---|
Enable Network Policies | ✅ Choose a network add-on that allows to leverage Network Policies (e.g., Calico or Canal)
|
Restrict Metadata API | ❌ AWS/Azure/GCP pass configuration to nodes through a Metadata API
|
Firewall Ports¶
- Kubernetes processes like kubelet are opening a few ports on all network interfaces, which should be firewalled from public access
- Those ports may "only" allow to query for sensitive information, but some of them allow straight full access to the cluster
Port | Process | Description |
---|---|---|
10250/TCP | kubelet | [LEGACY] API which allows full node access |
10255/TCP | kubelet | [LEGACY] Unauthenticated read-only port, allowing access to node state |
6443/TCP | kube-apiserver | Kubernetes API port |
10256/TCP | kube-proxy | Health check server for kube-proxy |
10257/TCP | kube-controller-manager | HTTPS authentication and authorization for kube-controller-manager |
10258/TCP | cloud-controller-manager | |
2379/TCP | etcd | The API interface is accessible and not secured by default |
4149/TCP | cAdvisor | Default cAdvisor port used to query container metrics |
30000/TCP | dashboard | Dashboard port |
9099/TCP | calico-felix | Health check server for Calico (if using Calico/Canal) |