Network

Ports¶

Port	Process
`10250/TCP`	`kubelet`
`30000-32767/TCP`	NodePort Services

Issue

By default, Kubernetes does not restrict traffic between pods running inside the cluster
Any pod can connect to any other pod as there are no firewalls controlling the intra-cluster traffic
Applications can potentially communicate with outside clients (north-south traffic) as well as with other applications running within the cluster (east-west traffic)

Network Policies

By default, all kinds of ingress (incoming) and egress (outgoing) traffic are allowed, but you can control how pods are allowed to communicate by using network policies
Allow to configure how groups of pods are allowed to communicate with each other and other network endpoints
They create firewalls between pods running on a Kubernetes cluster
You cannot enforce policies for outgoing (egress) traffic from pods using this feature
If a pod is not matched by any network policies, all traffic is allowed to and from that pod

Controls

Component Description

Enable Network Policies

✅ Choose a network add-on that allows to leverage Network Policies (e.g., Calico or Canal)

kubernetes-network-policy-recipes: example recipes for Kubernetes Network Policies that you can just copy paste

Restrict Metadata API

❌ AWS/Azure/GCP pass configuration to nodes through a Metadata API

✅ Restrict access to the Metadata API

with network policies that block traffic to the Metadata API for all pods that don’t explicitly need access
Azure and AWS both use the IP address 169.254.169.254
Google uses the domain name metadata.google.internal

Kubernetes processes like kubelet are opening a few ports on all network interfaces, which should be firewalled from public access
Those ports may "only" allow to query for sensitive information, but some of them allow straight full access to the cluster