Task weight: 7%
Use context: kubectl config use-context infra-prod
There is a metadata service available at http://192.168.100.21:32000 on which Nodes can reach sensitive data, like cloud credentials for initialisation. By default, all Pods in the cluster also have access to this endpoint. The DevSecOps team has asked you to restrict access to this metadata server.
In Namespace metadata-access:
- Create a NetworkPolicy named metadata-deny which prevents egress to 192.168.100.21 for all Pods but still allows access to everything else
- Create a NetworkPolicy named metadata-allow which allows Pods having label role: metadata-accessor to access endpoint 192.168.100.21
There are existing Pods in the target Namespace with which you can test your policies, but don't change their labels.
译文
任务权重 7%
使用上下文: kubectl config use-context infra-prod
在 http://192.168.100.21:32000 ,有一个元数据服务,节点可以接触到敏感数据,如初始化的云证书。默认情况下,集群中的所有Pod也可以访问这个端点。DevSecOps团队已经要求你限制对这个元数据服务器的访问。
在命名空间 metadata-access。
- 创建一个名为 metadata-deny 的 NetworkPolicy,阻止所有Pod出口到 192.168.100.21 ,但仍然允许访问其他所有东西。
- 创建一个名为 metadata-allow 的 NetworkPolicy,允许具有标签角色的 Pod:metadata-accessor 访问端点192.168.100.21。
在目标命名空间中有现有的Pod,你可以用它来测试你的策略,但不要改变它们的标签。
解答
容器内访问 http://192.168.100.21:32000
for i in `k -n metadata-access get pod -o name`; do echo $i ; k -n metadata-access exec $i -- curl -s http://192.168.100.21:32000 ; done
创建networkpolicy
vim 13_metadata-deny.yaml
# 13_metadata-deny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: metadata-deny
namespace: metadata-access
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 192.168.100.21/32
k -f 13_metadata-deny.yaml apply
创建第二个networkpolicy
vim 13_metadata-allow.yaml
vim 13_metadata-allow.yaml
# 13_metadata-allow.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: metadata-allow
namespace: metadata-access
spec:
podSelector:
matchLabels:
role: metadata-accessor
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 192.168.100.21/32
k -f 13_metadata-allow.yaml apply