Network Policies¶
Network security implementation using Kubernetes Network Policies and Cilium-based security controls.
Overview¶
Network policies provide micro-segmentation for the RCIIS platform, controlling traffic flow between pods and external services.
Policy Types¶
Default Policies¶
- Default Deny: Block all traffic by default
- Namespace Isolation: Inter-namespace communication control
- Egress Controls: Outbound traffic restrictions
Application Policies¶
- Service-to-Service: Microservice communication rules
- Database Access: Database connection restrictions
- External APIs: Third-party service access
Implementation Examples¶
Default Deny Policy¶
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: nucleus
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Application-Specific Policy¶
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: nucleus-api-policy
namespace: nucleus
spec:
podSelector:
matchLabels:
app: nucleus-api
policyTypes:
- Ingress
- Egress
ingress:
# Allow ingress traffic
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- protocol: TCP
port: 8080
egress:
# Allow database access
- to:
- namespaceSelector:
matchLabels:
name: database
ports:
- protocol: TCP
port: 1433
# Allow Kafka access
- to:
- namespaceSelector:
matchLabels:
name: kafka
ports:
- protocol: TCP
port: 9092
# Allow DNS resolution
- to: []
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
# Allow HTTPS outbound
- to: []
ports:
- protocol: TCP
port: 443
Cilium Network Policies¶
Layer 7 Policies¶
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: api-l7-policy
namespace: nucleus
spec:
endpointSelector:
matchLabels:
app: nucleus-api
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: "GET"
path: "/api/.*"
- method: "POST"
path: "/api/declarations"
DNS-Based Policies¶
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: external-api-policy
namespace: nucleus
spec:
endpointSelector:
matchLabels:
app: nucleus-api
egress:
- toFQDNs:
- matchName: "api.external-service.com"
toPorts:
- ports:
- port: "443"
protocol: TCP
Policy Testing¶
Connectivity Testing¶
# Test connectivity between pods
kubectl exec -it pod-a -- curl http://pod-b:8080/health
# Test external connectivity
kubectl exec -it pod-a -- curl https://api.external.com
# Test DNS resolution
kubectl exec -it pod-a -- nslookup service-b.namespace.svc.cluster.local
Policy Validation¶
# Check policy application
kubectl describe networkpolicy policy-name -n namespace
# View Cilium policy status
kubectl get cnp -A
# Monitor policy violations
cilium monitor --type policy-verdict
Best Practices¶
Policy Design¶
- Start with Deny-All: Default deny approach
- Incremental Permissions: Add rules as needed
- Minimal Access: Least privilege principle
- Regular Testing: Validate policy effectiveness
Monitoring and Alerting¶
- Policy Violations: Monitor blocked connections
- Compliance Reporting: Regular policy audits
- Performance Impact: Monitor policy overhead
- Incident Response: Policy-related troubleshooting
For advanced policy configurations, refer to the Cilium documentation.