Net seg
Simulation¶
Before applying the policy all network connections to the mysql pod is permitted from other pods and the attacker can use ICMP for discovery
vagrant@master-node:—$ kubectl exec -it wordpress-fb448db97-46rrn -n wordpress-mysql -- /bin/bash
root@wordpress-fb448db97-46rrn:/var/www/html# ping 10.0.0.10
PING 10.0.0.10 (10.0.0.10): 56 data bytes
64 bytes from 10.0.0.10: icmp_seq=0 tt1=64 time=0.078 ms
64 bytes from 10.0.0.10: icmp_seq=1 tt1=64 time=0.156 ms
64 bytes from 10.0.0.10: icmp_seq=2 tt1=64 time=0.090 ms
64 bytes from 10.0.0.10: icmp_seq=3 tt1=64 time=0.037 ms
64 bytes from 10.0.0.10: icmp_seq=4 tt1=64 time=0.123 ms
64 bytes from 10.0.0.10: icmp_seq=5 tt1=64 time=0.117 ms
64 bytes from 10.0.0.10: icmp_seq=6 tt1=64 time=0.108 ms
64 bytes from 10.0.0.10: icmp_seq=7 tt1=64 time=0.148 ms
64 bytes from 10.0.0.10: icmp_seq=8 tt1=64 time=0.153 ms
^C--- 10.0.0.10 ping statistics ---
9 packets transmitted, 9 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.037/0.112/0.156/0.037 ms
root@worderess-fb448db97-46rrn:/var/www/html#
After applying the policy, all other connections than the one defined will be dropped
vagrant@master-node:—$ kubectl exec -it wordpress-fb448db97-42k66 -n wordpress-mysql -- /bin/bash
root@wordpress-fb448db97-42k6S:/var/www/html# ping 10.0.0.10
PING 10.0.0.10 (10.0.0.10): 56 data bytes
92 bytes from 10.0.0.10: Destination Port Unreachable
92 bytes from 10.0.0.10: Destination Port Unreachable
92 bytes from 10.0.0.10: Destination Port Unreachable
92 bytes from 10.0.0.10: Destination Port Unreachable
92 bytes from 10.0.0.10: Destination Port Unreachable
92 bytes from 10.0.0.10: Destination Port Unreachable
^C--- 10.0.0.10 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss
root@wordpress-fb448db97-42k66:/var/www/html#
root@wordpress-fb448db97-42k6S:/var/www/html# curl 10.0.0.10
curl: (7) Failed to connect to 10.0.0.10 port 80: Connection refused
root@wordpress-fb448db97-42k6S:/var/www/html#