Hi,
I have setup a Hashicorp Vault cluster and would like to tighten security. To do that, I implemented the following default rule in the “vault” namespace. We use Calico for this.
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny
namespace: vault
spec:
podSelector:
matchLabels: {}
policyTypes:
- Ingress
- Egress
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: egress-kubedns
namespace: vault
spec:
podSelector:
matchLabels: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
How can I now create rules that will make sure all vault pods can talk to each other over TCP on ports 8200-8201?
It might be trivial but I can’t figure it out. How do you open connections between nodes of a StatefulSet or any other controller?
Any advice would be welcome.
Thanks!
Cluster information:
Kubernetes version: v1.18.2
Cloud being used: bare-metal
Installation method: kubeadm
Host OS: Fedora CoreOS
CNI and version: 0.8.5
CRI and version: 1.18.0
For who it can help later…
Embarrassingly enough, a kubectl describe
gave me the answer
$ kubectl describe pod/vault-0
Name: vault-0
Namespace: vault
Priority: 0
Node: XXXXX
Start Time: Fri, 12 Jun 2020 11:40:14 +0200
Labels: app=vault
controller-revision-hash=vault-0123456789
statefulset.kubernetes.io/pod-name=vault-0
[...]
Hi @edoardo
I will be curious to learn about your answer. You mentioned that ‘kubectl describe’ gave you the answer. Is the answer that you defined ‘podSelector’ to match on ‘app=vault’. Is that correct?
Hi devkulkarni,
My solution might have made sense to me at the time but I can’t understand what information I was trying to share.
Fast forward 6 months and the following is what we settled on. I am not a Vault or Kubernetes expert so there might be a better solution I haven’t thought of.
Services:
---
kind: Service
apiVersion: v1
metadata:
name: vault-0
namespace: foo
labels:
app: vault
spec:
selector:
statefulset.kubernetes.io/pod-name: vault-0
ports:
- name: http
port: 8200
- name: internal
port: 8201
---
kind: Service
apiVersion: v1
metadata:
name: vault-1
namespace: foo
labels:
app: vault
spec:
selector:
statefulset.kubernetes.io/pod-name: vault-1
ports:
- name: http
port: 8200
- name: internal
port: 8201
---
kind: Service
apiVersion: v1
metadata:
name: vault-2
namespace: foo
labels:
app: vault
spec:
selector:
statefulset.kubernetes.io/pod-name: vault-2
ports:
- name: http
port: 8200
- name: internal
port: 8201
---
apiVersion: v1
kind: Service
metadata:
labels:
app: vault
name: vault
namespace: foo
spec:
ports:
- name: http
port: 8200
protocol: TCP
targetPort: 8200
- name: internal
port: 8201
protocol: TCP
targetPort: 8201
publishNotReadyAddresses: true
selector:
app: vault
sessionAffinity: None
type: ClusterIP
netPols:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: egress-vault-to-vault-tcp-8200
namespace: foo
labels:
app: vault
spec:
podSelector:
matchLabels:
app: vault
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: vault
podSelector:
matchLabels:
app: vault
ports:
- protocol: TCP
port: 8200
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: ingress-vault-to-vault-tcp-8200
namespace: foo
labels:
app: vault
spec:
podSelector:
matchLabels:
app: vault
ingress:
- from:
- namespaceSelector:
matchLabels:
name: vault
podSelector:
matchLabels:
app: vault
ports:
- protocol: TCP
port: 8200
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: egress-vault-to-vault-tcp-8201
namespace: foo
labels:
app: vault
spec:
podSelector:
matchLabels:
app: vault
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: vault
podSelector:
matchLabels:
app: vault
ports:
- protocol: TCP
port: 8201
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: ingress-vault-to-vault-tcp-8201
namespace: foo
labels:
app: vault
spec:
podSelector:
matchLabels:
app: vault
ingress:
- from:
- namespaceSelector:
matchLabels:
name: vault
podSelector:
matchLabels:
app: vault
ports:
- protocol: TCP
port: 8201
I hope this time my answer is a bit more helpful.