Skip to content

Network

Network Communications

Network Policies

Issue:
  • By default, Kubernetes does not restrict traffic between pods running inside the cluster
  • Any pod can connect to any other pod as there are no firewalls controlling the intra-cluster traffic
  • Applications can potentially communicate with outside clients (north-south traffic) as well as with other applications running within the cluster (east-west traffic)
Network Policies:
  • By default, all kinds of ingress (incoming) and egress (outgoing) traffic are allowed, but you can control how pods are allowed to communicate by using network policies
  • Allow to configure how groups of pods are allowed to communicate with each other and other network endpoints
  • They create firewalls between pods running on a Kubernetes cluster
  • You cannot enforce policies for outgoing (egress) traffic from pods using this feature
  • If a pod is not matched by any network policies, all traffic is allowed to and from that pod

Controls

Component Description
Enable Network Policies Choose a network add-on that allows to leverage Network Policies (e.g., Calico or Canal)
Restrict Metadata API AWS/Azure/GCP pass configuration to nodes through a Metadata API
  • this can be the source of serious escalations
  • this can include critical information including the node's kubelet credentials
Restrict access to the Metadata API
  • with network policies that block traffic to the Metadata API for all pods that don’t explicitly need access
  • Azure and AWS both use the IP address 169.254.169.254
  • Google uses the domain name metadata.google.internal

Firewall Ports

  • Kubernetes processes like kubelet are opening a few ports on all network interfaces, which should be firewalled from public access
  • Those ports may "only" allow to query for sensitive information, but some of them allow straight full access to the cluster
Port Process Description
10250/TCP kubelet [LEGACY] API which allows full node access
10255/TCP kubelet [LEGACY] Unauthenticated read-only port, allowing access to node state
6443/TCP kube-apiserver Kubernetes API port
10256/TCP kube-proxy Health check server for kube-proxy
10257/TCP kube-controller-manager HTTPS authentication and authorization for kube-controller-manager
10258/TCP cloud-controller-manager
2379/TCP etcd The API interface is accessible and not secured by default
4149/TCP cAdvisor Default cAdvisor port used to query container metrics
30000/TCP dashboard Dashboard port
9099/TCP calico-felix Health check server for Calico (if using Calico/Canal)