Skip to content

What are Network and System Policies

Accuknox enforces application policies and hardening using KubeArmor - our own open-source product that brings AppArmor and SELinux to K8s / Cloud workloads. Additionally, Accuknox builds on top of Cilium to provide full support for identity-based network segmentation for K8s and VM workloads.

Network Policy: Network Policies control traffic going in and out of the pods. Cilium implements the Kubernetes Network Policies for L3/L4 level and extends with L7 policies. Cilium policies follow the whitelist model. When a policy is enabled for a pod, all ingress and egress traffic are denied by default unless the policy specification allows specific traffic.

  • Network-Ingress: List of rules which must apply at the ingress of the endpoint, i.e. to all network packets which are entering the endpoint.

  • Network-Egress: List of rules which must apply at the egress of the endpoint, i.e. to all network packets which are leaving the endpoint.

Structure of network policy

Network-egress Policy Specification:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: [policy name]
  description: [Policy Desciption]
spec:
  endpointSelector:          
    matchLabels:
      [key1]: [value1]
      [keyN]: [valueN]
egress:
  - toEndpoints:
    - matchLabels:
        [key1]: [value1]
        [keyN]: [valueN]
  - toPorts:
    - ports:
      - port: [port number]
        protocol: [protocol]
  - toCIDRSet:
    - cidr: [ip addr]/[cidr bits]
      except:
      - [ip addr]/[cidr bits]
  - toEntities:
    - [entity]
  - toServices:
    - k8sService:
        serviceName: [service name]
        namespace: [namespace] 
  - toFQDNs:
      - matchName: [domain name]
      - matchPattern: [domain name pattern]

Network-ingress Policy Specification:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: [policy name]
  description: [Policy Desciption]
spec:
  endpointSelector:          
    matchLabels:
      [key1]: [value1]
      [keyN]: [valueN]
ingress:
  - toPorts:
    - ports:
      - port: [port number]
        protocol: [protocol]
  - fromEndpoints:
    - matchLabels:
        [key1]: [value1]
        [keyN]: [valueN]
  - fromEntities:
    - [entity]
  - fromCIDRSet:
    - cidr: [ip addr]/[cidr bits]
      except:
      - [ip addr]/[cidr bits]

System Policy: System policies restrict the behavior (such as process execution, file access, and networking operation) of containers and nodes at the system level.

Structure of System Policy

Policy Specification

apiVersion: security.kubearmor.com/v1
kind:KubeArmorPolicy
metadata:
  name: [policy name]
  namespace: [namespace name]
spec:                       
  selector:                               # --> For KubeArmorHostPolicy selector will be nodeSelector
    matchLabels:
      [key1]: [value1]
      [keyN]: [valueN]

  process:
    severity: [1-10]                       
    matchPaths:
    - path: [absolute executable path]
      ownerOnly: [true|false]              # --> optional
      fromSource:                          # --> optional
      - path: [absolute exectuable path]
    matchDirectories:
    - dir: [absolute directory path]
      recursive: [true|false]              # --> optional
      ownerOnly: [true|false]              # --> optional
      fromSource:                          # --> optional
      - path: [absolute exectuable path]
    action: [Allow|Audit|Block]

  file:
    severity: [1-10]                       
    matchPaths:
    - path: [absolute file path]
      readOnly: [true|false]               # --> optional
      ownerOnly: [true|false]              # --> optional
      fromSource:                          # --> optional
      - path: [absolute exectuable path]
    matchDirectories:
    - dir: [absolute directory path]
      recursive: [true|false]              # --> optional
      readOnly: [true|false]               # --> optional
      ownerOnly: [true|false]              # --> optional
      fromSource:                          # --> optional
      - path: [absolute exectuable path]
    action: [Allow|Audit|Block]

  network:
    severity: [1-10]                       
    matchProtocols:
    - protocol: [TCP|tcp|UDP|udp|ICMP|icmp]
      fromSource:                          # --> optional
      - path: [absolute exectuable path]
    action: [Allow|Audit|Block]

  capabilities:
    severity: [1-10]                       
    matchCapabilities:
    - capability: [capability name]
      fromSource:                          # --> optional
      - path: [absolute exectuable path]
    action: [Allow|Audit|Block]

See also: Policies and Rules

Back to top