Kubernetes Network Policy
Kubernetes is a Container Orchestration Engine designed to host containerized applications on a set of nodes, commonly referred to as a cluster. Using a systems modeling approach, this series aims to advance the understanding of Kubernetes and its underlying concepts.
Recommended Read
Overview
The Kubernetes Networking Model guarantees that all Kubernetes Pods on a Kubernetes Cluster are able to communicate, that is, able to exchange messages.
However, the Networking Semantics change in the presence of Networking Policies from Default Allow for all Pods to Default Deny for selected Pods with Explicit Allow:
Default Allow
The Kubernetes Network permits all incoming and outgoing messages to and from any Pod per default.
Default Deny
However, if there exists some Network Policy selecting a Pod, the Kubernetes Network prohibits all incoming and outgoing messages to and from the Pod per default.
Explicit Allow
Then, if there exists some Network Policy selecting a Pod and some rule of the Network Policy allowing Ingress or Egress, the Kubernetes Network permits matching incoming and outgoing messages to and from the Pod.
K8s Networking Policies
Kubernetes Networking Policies are a core abstraction of Kubernetes: Per Pod, Network Policies determine if an incoming (Ingress) or outgoing (Egress) message is permitted or prohibited by the Kubernetes Network.
Not this
Since Kubernetes Pods are arguably the core abstraction of Kubernetes, one may reasonably conclude that Kubernetes Network Policies express allowed traffic flow holistically in terms of Pods e.g. in terms of a set of Pods, the possible source, and a set of Pods, the possible target.
However, this is not how Network Policies work.
But that
A Kubernetes Network Policy determines whether an incoming or outgoing message is either permitted or prohibited.
For two Pods to communicate
- both Pods must be unselected or
- there must exist
- a Network Policy that permits Egress from the source to the target and
- a Network Policy that permits Ingress to the target from the source.
K8s Networking Policies ● Formal Description
A Kubernetes Network Policy Object may be classified as an Ingress or Egress Policy. Note that a Kubernetes Network Policy Object may be an Ingress and Egress Policy at the same time:
Ingress-Policies ≝
{P ∈ Policies : "Ingress" ∈ as-set(Pol.Spec.PolicyType)}Egress-Policies ≝
{P ∈ Policies : "Egress" ∈ as-set(Pol.Spec.PolicyType)}
As the names imply
- Ingress Policies default to deny and explicitly allow incoming messages
- Egress Policies default to deny and explicitly allow outgoing messages
of selected Pods.
- Ingress of a Pod is restricted if there is at least one Ingress Network Policy that selects that Pod.
- Egress of a Pod is restricted if there is at least one Egress Network Policy that selects that Pod.
IngressRestricted(Pod) ≝
∃ Pol ∈ Ingress-Policies:
Pod.Labels match Pol.Spec.PodSelectorEgressRestricted(Pod) ≝
∃ Pol ∈ Egress-Policies:
Pod.Labels match Pol.Spec.PodSelector
- Ingress to a Pod is allowed if the Pod is not restricted or if the Pod is restricted but there exists an Ingress Rule that explicitly allows Ingress to this Pod.
- Egress from a Pod is allowed if the Pod is not restricted or if the Pod is restricted but there exists an Egress Rule that explicitly allows Egress from this Pod.
IngressAllowed(Pod, (sAddr, sPort, tAddr, tPort, Proto)) ≝
IngressRestricted(Pod)
⟹
∃ Pol ∈ Ingress-Policies:
∧ Pod.Labels match Pol.Spec.PodSelector
∧ ∃ Rule ∈ Pol.Spec.Ingress:
∧ ∃ Peer ∈ Rule.From:
PeerAllowed
(Peer, sAddr)
# if no port is specified all ports and protocols are allowed
∧ Rule.Ports ≠ ∅
⟹
∃ Port ∈ Rule.Ports:
∧ Port.Protocol = Proto
∧ Port.Port match tPortEgressAllowed(Pod, (sAddr, sPort, tAddr, tPort, Proto)) ≝
EgressRestricted(Pod)
⟹
∃ Pol ∈ Egress-Policies:
∧ Pod.Labels match Pol.Spec.PodSelector
∧ ∃ Rule ∈ Pol.Spec.Egress:
∧ ∃ Peer ∈ Rule.To:
PeerAllowed
(Peer, tAddr)
# if no port is specified all ports and protocols are allowed
∧ Rule.Ports ≠ ∅
⟹
∃ Port ∈ Rule.Ports:
∧ Port.Protocol = Proto
∧ Port.Port match tPort
- An Ingress Policy selects its peers based on the Source Address of the incoming message,
- an Egress Policy selects its peers based on the Target Address of the outgoing message,
however both follow the same logic.
PeerAllowed(Peer, Addr) ≝
CASE Peer.PodSelector ≠ NIL Peer.NamespaceSelector ≠ Nil
→ ∃ S ∈ Pods:
∧ S.Labels match From.PodSelector
∧ S.NameSpace match From.NamespaceSelector
∧ S.Status.PodIP = Addr
◻︎ Peer.PodSelector ≠ NIL Peer.NamespaceSelector = Nil
→ ∃ S ∈ Pods:
∧ S.Labels match From.PodSelector
∧ S.NameSpace = Pol.Namespace
∧ S.Status.PodIP = Addr
◻︎ Peer.PodSelector = NIL Peer.NamespaceSelector ≠ Nil
→ ∃ S ∈ Pods:
∧ S.NameSpace = From.NamespaceSelector
∧ S.Status.PodIP = Addr
◻︎ Peer.PodSelector = NIL Peer.NamespaceSelector = Nil
→ ∧ sAddr ∈ as-set(From.IPBlock.CIDR)
∧ ∄ Except in From.IPBlock.Except
Addr ∈ as-set(Except)Implementation
Please visit Kubernetes Networking for a discussion of the Kubernetes Networking Model and the Conceptual Networking Model used throughout this blog post:
In this model, a network is a Network Graph that consists of a set of Nodes and a set of Links between the Nodes: One Node may exchange a message with another Node if and only if there exists a link between the Nodes.
A Node in the network is either a Process or a Switch. Processes produce and consume messages, Switches process messages according to their Forward Information Base (FIB).
Kubernetes provides a Network Specification but Kubernetes does not provide a Network Implementation. In fact, many alternative implementations, called Network Plugins, exist today.
In order to use Kubernetes Network Policies, that is, in order for the presence of a Network Policy Object to have the desired effects, the installed Network Plugin must support Network Policies.
Example
Figure 6. illustrates the example used in this section: A Kubernetes Cluster K₁ that consists of two Nodes. Each Node hosts two Pods. Each Pod resides in the default namespace and executes two Containers, one Container listening on port 8080, one Container listening on port 9090.
In addition
- Pod P₁ has a labelset of
{role: frontend} - Pod P₂ has a labelset of
{role: backend}
For this example, we will assume that following requirements:
- P₁ may receive traffic from any source
- P₁ may send traffic to P₂ only
- P₂ may receive traffic from P₁ only
- P₂ may send traffic to any target
1. Default Deny
In order to restrict communication we must flip
- P₁’s Egress and
- P₂’s Ingress
from Default Allow to Default Deny, that is, we must create
- an Egress Policy that selects P₁ and
- an Ingress Policy that selects P₂.
P₃ and P₄ are not selected, therefore P₃’s and P₄’s Ingress and Egress are not affected.
# Default Deny P₁’s EgressapiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend-policy
namespace: default
spec:
podSelector:
matchLabels:
role: frontend
policyTypes:
- Egress# Default Deny P₂’s IngressapiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-policy
namespace: default
spec:
podSelector:
matchLabels:
role: backend
policyTypes:
- Ingress
The frontend-policy and backend-policy result in a network configuration that is equivalent to
- P₁’s FIB discarding all messages with a source address of P₁’s IP Address 10.0.0.1 and any target address other than its own.
- P₂’s FIB discarding all messages with a target address of P₂’s IP Address 10.0.0.2 and any source address other than its own.
2. Explicit Allow
In order to allow communication from P₁ to P₂ we must flip
- P₁’s Egress to P₂ and
- P₂’s Ingress from P₁
from Default Deny to Explicilty Allow, that is, we must update
frontend-policyand add an Egress Rule andbackend-policyto add an Ingress Rule
# Explicitly Allow P₁’s Egress to P₂apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend-policy
namespace: default
spec:
podSelector:
matchLabels:
role: frontend
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
role: backend # Explicitly Allow P₂’s Ingress from P₁apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-policy
namespace: default
spec:
podSelector:
matchLabels:
role: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
role: frontend
The frontend-policy and backend-policy result in a network configuration that is equivalent to
- P₁’s FIB discarding all messages with a source address of P₁’s IP Address 10.0.0.1 and any target address other than its own except if the target address is P₂’s IP Address and target port is 8080 or 9090.
- P₂’s FIB discarding all messages with a target address of P₂’s IP Address 10.0.0.2 and any source address other than its own except if the source address is P₁’s IP Address and target port is 8080 or 9090.
In conclusion, P₁ may receive messages from any source but may only send messages to P₂, while P₂ may only receive messages from P₁ but may send messages to any target.
In combination, P₁ may exchange messages with P₂.
Conclusion
The Kubernetes Networking Model guarantees that all Kubernetes Pods on a Kubernetes Cluster are able to communicate, that is, able to exchange messages.
However, the Networking Semantics change in the presence of Networking Policies from Default Allow for all Pods to Default Deny for selected Pods with Explicit Allow.
In a nutshell, for two Pods to communicate
- both Pods must be unselected or
- there must exist
- a Network Policy that permits Egress from the source to the target and
- a Network Policy that permits Ingress to the target from the source.
