Defining networkPolicy rules between the pods of a StatefulSet

edoardo · June 12, 2020, 12:11pm

Hi,
I have setup a Hashicorp Vault cluster and would like to tighten security. To do that, I implemented the following default rule in the “vault” namespace. We use Calico for this.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny
  namespace: vault
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
    - Ingress
    - Egress
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: egress-kubedns
  namespace: vault
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
    - Egress
  egress:
    - to:
      - namespaceSelector:
          matchLabels:
            name: kube-system
        podSelector:
          matchLabels:
            k8s-app: kube-dns
      ports:
        - protocol: UDP
          port: 53

How can I now create rules that will make sure all vault pods can talk to each other over TCP on ports 8200-8201?

It might be trivial but I can’t figure it out. How do you open connections between nodes of a StatefulSet or any other controller?

Any advice would be welcome.

Thanks!

Cluster information:

Kubernetes version: v1.18.2
Cloud being used: bare-metal
Installation method: kubeadm
Host OS: Fedora CoreOS
CNI and version: 0.8.5
CRI and version: 1.18.0

edoardo · June 15, 2020, 4:23am

For who it can help later…

Embarrassingly enough, a kubectl describe gave me the answer

$ kubectl describe pod/vault-0
Name:         vault-0
Namespace:    vault
Priority:     0
Node:         XXXXX
Start Time:   Fri, 12 Jun 2020 11:40:14 +0200
Labels:       app=vault
              controller-revision-hash=vault-0123456789
              statefulset.kubernetes.io/pod-name=vault-0
[...]

devkulkarni · January 24, 2021, 1:59am

Hi @edoardo

I will be curious to learn about your answer. You mentioned that ‘kubectl describe’ gave you the answer. Is the answer that you defined ‘podSelector’ to match on ‘app=vault’. Is that correct?

edoardo · January 24, 2021, 8:01pm

Hi devkulkarni,
My solution might have made sense to me at the time but I can’t understand what information I was trying to share.

Fast forward 6 months and the following is what we settled on. I am not a Vault or Kubernetes expert so there might be a better solution I haven’t thought of.

Services:

---
kind: Service
apiVersion: v1
metadata:
  name: vault-0
  namespace: foo
  labels:
    app: vault
spec:
  selector:
    statefulset.kubernetes.io/pod-name: vault-0
  ports:
  - name: http
    port: 8200
  - name: internal
    port: 8201
---
kind: Service
apiVersion: v1
metadata:
  name: vault-1
  namespace: foo
  labels:
    app: vault
spec:
  selector:
    statefulset.kubernetes.io/pod-name: vault-1
  ports:
  - name: http
    port: 8200
  - name: internal
    port: 8201
---
kind: Service
apiVersion: v1
metadata:
  name: vault-2
  namespace: foo
  labels:
    app: vault
spec:
  selector:
    statefulset.kubernetes.io/pod-name: vault-2
  ports:
  - name: http
    port: 8200
  - name: internal
    port: 8201
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: vault
  name: vault
  namespace: foo
spec:
  ports:
  - name: http
    port: 8200
    protocol: TCP
    targetPort: 8200
  - name: internal
    port: 8201
    protocol: TCP
    targetPort: 8201
  publishNotReadyAddresses: true
  selector:
    app: vault
  sessionAffinity: None
  type: ClusterIP

netPols:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: egress-vault-to-vault-tcp-8200
  namespace: foo
  labels:
    app: vault
spec:
  podSelector:
    matchLabels:
      app: vault
  policyTypes:
    - Egress
  egress:
    - to:
      - namespaceSelector:
          matchLabels:
            name: vault
        podSelector:
          matchLabels:
            app: vault
      ports:
        - protocol: TCP
          port: 8200
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: ingress-vault-to-vault-tcp-8200
  namespace: foo
  labels:
    app: vault
spec:
  podSelector:
    matchLabels:
      app: vault
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            name: vault
        podSelector:
          matchLabels:
            app: vault
      ports:
        - protocol: TCP
          port: 8200
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: egress-vault-to-vault-tcp-8201
  namespace: foo
  labels:
    app: vault
spec:
  podSelector:
    matchLabels:
      app: vault
  policyTypes:
    - Egress
  egress:
    - to:
      - namespaceSelector:
          matchLabels:
            name: vault
        podSelector:
          matchLabels:
            app: vault
      ports:
        - protocol: TCP
          port: 8201
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: ingress-vault-to-vault-tcp-8201
  namespace: foo
  labels:
    app: vault
spec:
  podSelector:
    matchLabels:
      app: vault
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            name: vault
        podSelector:
          matchLabels:
            app: vault
      ports:
        - protocol: TCP
          port: 8201

I hope this time my answer is a bit more helpful.

Topic		Replies	Views
Struggling with Network Policy General Discussions network	2	1280	March 15, 2024
Seeking Simplified Approaches for Common Kubernetes Network Policy Use Cases General Discussions	0	86	March 17, 2024
How can I isolate pods in namespace using NetworkPolicy without disabling external traffic to Kubernetes pods General Discussions network	6	3268	December 8, 2023
Network policy - Allow only one IP General Discussions network	11	4795	March 14, 2019
NodePort Not Working in Conjunction with Network Policies General Discussions	2	1154	November 13, 2020

Defining networkPolicy rules between the pods of a StatefulSet

Cluster information:

Related Topics