What are Network and System Policies
Accuknox enforces application policies and hardening using KubeArmor - our own open-source product that brings AppArmor and SELinux to K8s / Cloud workloads. Additionally, Accuknox builds on top of Cilium to provide full support for identity-based network segmentation for K8s and VM workloads.
Network Policy: Network Policies control traffic going in and out of the pods. Cilium implements the Kubernetes Network Policies for L3/L4 level and extends with L7 policies. Cilium policies follow the whitelist model. When a policy is enabled for a pod, all ingress and egress traffic are denied by default unless the policy specification allows specific traffic.
-
Network-Ingress: List of rules which must apply at the ingress of the endpoint, i.e. to all network packets which are entering the endpoint.
-
Network-Egress: List of rules which must apply at the egress of the endpoint, i.e. to all network packets which are leaving the endpoint.
Structure of network policy¶
Network-egress Policy Specification:
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: [policy name]
description: [Policy Desciption]
spec:
endpointSelector:
matchLabels:
[key1]: [value1]
[keyN]: [valueN]
egress:
- toEndpoints:
- matchLabels:
[key1]: [value1]
[keyN]: [valueN]
- toPorts:
- ports:
- port: [port number]
protocol: [protocol]
- toCIDRSet:
- cidr: [ip addr]/[cidr bits]
except:
- [ip addr]/[cidr bits]
- toEntities:
- [entity]
- toServices:
- k8sService:
serviceName: [service name]
namespace: [namespace]
- toFQDNs:
- matchName: [domain name]
- matchPattern: [domain name pattern]
Network-ingress Policy Specification:
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: [policy name]
description: [Policy Desciption]
spec:
endpointSelector:
matchLabels:
[key1]: [value1]
[keyN]: [valueN]
ingress:
- toPorts:
- ports:
- port: [port number]
protocol: [protocol]
- fromEndpoints:
- matchLabels:
[key1]: [value1]
[keyN]: [valueN]
- fromEntities:
- [entity]
- fromCIDRSet:
- cidr: [ip addr]/[cidr bits]
except:
- [ip addr]/[cidr bits]
System Policy: System policies restrict the behavior (such as process execution, file access, and networking operation) of containers and nodes at the system level.
Structure of System Policy¶
Policy Specification¶
apiVersion: security.kubearmor.com/v1
kind:KubeArmorPolicy
metadata:
name: [policy name]
namespace: [namespace name]
spec:
selector: # --> For KubeArmorHostPolicy selector will be nodeSelector
matchLabels:
[key1]: [value1]
[keyN]: [valueN]
process:
severity: [1-10]
matchPaths:
- path: [absolute executable path]
ownerOnly: [true|false] # --> optional
fromSource: # --> optional
- path: [absolute exectuable path]
matchDirectories:
- dir: [absolute directory path]
recursive: [true|false] # --> optional
ownerOnly: [true|false] # --> optional
fromSource: # --> optional
- path: [absolute exectuable path]
action: [Allow|Audit|Block]
file:
severity: [1-10]
matchPaths:
- path: [absolute file path]
readOnly: [true|false] # --> optional
ownerOnly: [true|false] # --> optional
fromSource: # --> optional
- path: [absolute exectuable path]
matchDirectories:
- dir: [absolute directory path]
recursive: [true|false] # --> optional
readOnly: [true|false] # --> optional
ownerOnly: [true|false] # --> optional
fromSource: # --> optional
- path: [absolute exectuable path]
action: [Allow|Audit|Block]
network:
severity: [1-10]
matchProtocols:
- protocol: [TCP|tcp|UDP|udp|ICMP|icmp]
fromSource: # --> optional
- path: [absolute exectuable path]
action: [Allow|Audit|Block]
capabilities:
severity: [1-10]
matchCapabilities:
- capability: [capability name]
fromSource: # --> optional
- path: [absolute exectuable path]
action: [Allow|Audit|Block]
See also: Policies and Rules