Task weight: 7%

Use context: kubectl config use-context infra-prod

There is a metadata service available at http://192.168.100.21:32000 on which Nodes can reach sensitive data, like cloud credentials for initialisation. By default, all Pods in the cluster also have access to this endpoint. The DevSecOps team has asked you to restrict access to this metadata server.

In Namespace metadata-access:

  • Create a NetworkPolicy named metadata-deny which prevents egress to 192.168.100.21 for all Pods but still allows access to everything else
  • Create a NetworkPolicy named metadata-allow which allows Pods having label role: metadata-accessor to access endpoint 192.168.100.21

There are existing Pods in the target Namespace with which you can test your policies, but don't change their labels.

译文

任务权重 7%

使用上下文: kubectl config use-context infra-prod

http://192.168.100.21:32000 ,有一个元数据服务,节点可以接触到敏感数据,如初始化的云证书。默认情况下,集群中的所有Pod也可以访问这个端点。DevSecOps团队已经要求你限制对这个元数据服务器的访问。

在命名空间 metadata-access

  • 创建一个名为 metadata-deny 的 NetworkPolicy,阻止所有Pod出口到 192.168.100.21 ,但仍然允许访问其他所有东西。
  • 创建一个名为 metadata-allow 的 NetworkPolicy,允许具有标签角色的 Pod:metadata-accessor 访问端点192.168.100.21。

在目标命名空间中有现有的Pod,你可以用它来测试你的策略,但不要改变它们的标签。

解答

容器内访问 http://192.168.100.21:32000

for i in `k -n metadata-access get pod -o name`; do echo $i ; k -n metadata-access exec $i -- curl -s http://192.168.100.21:32000 ; done

file

创建networkpolicy

vim 13_metadata-deny.yaml
# 13_metadata-deny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: metadata-deny
  namespace: metadata-access
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 192.168.100.21/32
k -f 13_metadata-deny.yaml apply

file

创建第二个networkpolicy

vim 13_metadata-allow.yaml

vim 13_metadata-allow.yaml

# 13_metadata-allow.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: metadata-allow
  namespace: metadata-access
spec:
  podSelector:
    matchLabels:
      role: metadata-accessor
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 192.168.100.21/32
k -f 13_metadata-allow.yaml apply

file