Network Segmentation¶
Limit network access strictly between whitelisted service endpoints, deny everything else.
Narrative¶
In Kubernetes, by default all the pods are able to communicate with all the other pods present in the cluster. This increases the security risk associated with the intrusion of an attacker as this model allows easy access to all endpoints. Network segmentation deals with dividing this network into segments and reducing the connections that are allowed.
Attack Scenario¶
An attacker can gain access to a vulnerable pod and then try to access the other pods by lateral movement through the network. This can be prevented by using network segmentation policies which restrict the connections to only those that are strictly necessary for the particular application to function.
Attack Type Pivoting, Denial of service(DoS)
Compliance¶
- Network Segmentation
Policy¶
Network micro-segmentation¶
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: autopol-ingress-564878049
namespace: wordpress-mysql
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: wordpress
ports:
- port: 3306
protocol: TCP
podSelector:
matchLabels:
app: mysql
policyTypes:
- Ingress
Simulation¶
Before applying the policy all network connections to the mysql pod is permitted from other pods and the attacker can use ICMP for discovery
vagrant@master-node:—$ kubectl exec -it wordpress-fb448db97-46rrn -n wordpress-mysql -- /bin/bash
root@wordpress-fb448db97-46rrn:/var/www/html# ping 10.0.0.10
PING 10.0.0.10 (10.0.0.10): 56 data bytes
64 bytes from 10.0.0.10: icmp_seq=0 tt1=64 time=0.078 ms
64 bytes from 10.0.0.10: icmp_seq=1 tt1=64 time=0.156 ms
64 bytes from 10.0.0.10: icmp_seq=2 tt1=64 time=0.090 ms
64 bytes from 10.0.0.10: icmp_seq=3 tt1=64 time=0.037 ms
64 bytes from 10.0.0.10: icmp_seq=4 tt1=64 time=0.123 ms
64 bytes from 10.0.0.10: icmp_seq=5 tt1=64 time=0.117 ms
64 bytes from 10.0.0.10: icmp_seq=6 tt1=64 time=0.108 ms
64 bytes from 10.0.0.10: icmp_seq=7 tt1=64 time=0.148 ms
64 bytes from 10.0.0.10: icmp_seq=8 tt1=64 time=0.153 ms
^C--- 10.0.0.10 ping statistics ---
9 packets transmitted, 9 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.037/0.112/0.156/0.037 ms
root@worderess-fb448db97-46rrn:/var/www/html#
After applying the policy, all other connections than the one defined will be dropped
vagrant@master-node:—$ kubectl exec -it wordpress-fb448db97-42k66 -n wordpress-mysql -- /bin/bash
root@wordpress-fb448db97-42k6S:/var/www/html# ping 10.0.0.10
PING 10.0.0.10 (10.0.0.10): 56 data bytes
92 bytes from 10.0.0.10: Destination Port Unreachable
92 bytes from 10.0.0.10: Destination Port Unreachable
92 bytes from 10.0.0.10: Destination Port Unreachable
92 bytes from 10.0.0.10: Destination Port Unreachable
92 bytes from 10.0.0.10: Destination Port Unreachable
92 bytes from 10.0.0.10: Destination Port Unreachable
^C--- 10.0.0.10 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss
root@wordpress-fb448db97-42k66:/var/www/html#
root@wordpress-fb448db97-42k6S:/var/www/html# curl 10.0.0.10
curl: (7) Failed to connect to 10.0.0.10 port 80: Connection refused
root@wordpress-fb448db97-42k6S:/var/www/html#