Network Policy Recommendations #1344
Conversation
jetstack-bot
added
do-not-merge/work-in-progress
✅ Deploy Preview for cert-manager-website ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
wallrj
force-pushed
the
network-policy
branch
5 times, most recently
from
48fec25 to
b9efda8
Compare
jetstack-bot
added
size/L
wallrj
force-pushed
the
network-policy
branch
3 times, most recently
from
debf35b to
983061f
Compare
wallrj
changed the title
jetstack-bot
removed
the
do-not-merge/work-in-progress
wallrj
force-pushed
the
network-policy
branch
from
983061f to
e78f370
Compare
|
This is great, however given that |
public/docs/installation/best-practice/allow-egress-kubernetes-api.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
A couple minor comments but would rather have this live and refine it.
Main one is that perhaps we should stick to default NetworkPolicy with networking.k8s.io? If we use one specific implementation (Calico), then we should provide others too?
I appreciate the list of communications. I wonder if there is an easier way to define them to be very clear? Possibly just having a YAML extract from the policy under each bullet?
| The cert-manager controller has a metrics server which listens for HTTP connections on TCP port 9402. | ||
| Create a network policy which allows access to this service from your chosen metrics collector. | ||
|
|
||
| ### Calico Example |
There was a problem hiding this comment.
Would it be better to use the standard networkpolicies.networking.k8s.io/v1 as the example, rather than a provider specific version?
Or we could have 3 example implementations?:
- Standard
NetworkPolicy - Calico
- Cillium
There was a problem hiding this comment.
Would it be better to use the standard
networkpolicies.networking.k8s.io/v1as the example, rather than a provider specific version?
The standard Kubernetes NetworkPolicy doesn't allow you to refer to a Service, which is what I think is needed to reliably allow cert-manager Pods to connect to the Kubernetes API server, so I used Calico.
Alternative would be to document how to find the IP address(es) of your K8S API server replicas and hard code those in to a Kubernetes NetworkPolicy....but that seems likely to break if the addresses ever change.
There was a problem hiding this comment.
I was about to reply but I see what you mean, you would have to have a combination of:
spec:
egress:
to:
namespaceSelector: ..
podSelector: ..But looking in GKE, you can't see the kuber api-server pods to select?
Whereas in a kind cluster you can:
> k get po -n kube-system -l component=kube-apiserver
NAME READY STATUS RESTARTS AGE
kube-apiserver-argocd-demo-control-plane 1/1 Running 0 6h44mI'll see if there is a "workaround" as this must be a fairly common problem, in that, I need to lock down access but enable app to connect to the k8s api.
There was a problem hiding this comment.
Probably no quick fix. It would seem the common answer is exactly what you said @wallrj.
Ref: https://stackoverflow.com/questions/58790124/whitelist-kube-apiserver-with-network-policy
I'm dropping the Calico examples for now. There will only be an overview of network requirements and I will leave it to the reader to figure out the configuration for their chosen CNI. |
jetstack-bot
added
size/M
| 1. **UDP: cert-manager (all) -> Kubernetes DNS**: | ||
| All cert-manager components perform UDP DNS queries for both cluster and external domain names. |
There was a problem hiding this comment.
w/ another hat, I work w/ a dns software project and UDP DNS queries sometimes need to be resent over TCP, I can't tell if that's listed here or if there's some way that cert-manager could avoid that requirement.
There was a problem hiding this comment.
Yeah, I had the same thought.
But then I saw the default Calico policy which only allows UDP traffic to kube-dns,
and second guessed myself.
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: deny-app-policy
spec:
namespaceSelector: has(projectcalico.org/name) && projectcalico.org/name not in {"kube-system", "calico-system", "calico-apiserver"}
types:
- Ingress
- Egress
egress:
# allow all namespaces to communicate to DNS pods
- action: Allow
protocol: UDP
destination:
selector: 'k8s-app == "kube-dns"'
ports:
- 53There was a problem hiding this comment.
I've checked and the kube-dns does indeed accept TCP connections, so the Calico policy is wrong,
unless they've got some reason to block TCP queries.
$ kubectl get svc -n kube-system kube-dns
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 6m59s
$ kubectl run dig --attach --rm --restart=Never --image nixery.dev/dnsutils -- dig @kube-dns.kube-system.svc.cluster.local kubernetes.default.svc.cluster.local. A +tcp
; <<>> DiG 9.18.19 <<>> @kube-dns.kube-system.svc.cluster.local kubernetes.default.svc.cluster.local. A +tcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53329
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bb4d0b9fc7279ae9 (echoed)
;; QUESTION SECTION:
;kubernetes.default.svc.cluster.local. IN A
;; ANSWER SECTION:
kubernetes.default.svc.cluster.local. 4 IN A 10.96.0.1
;; Query time: 10 msec
;; SERVER: 10.96.0.10#53(kube-dns.kube-system.svc.cluster.local) (TCP)
;; WHEN: Wed Nov 15 09:57:05 UTC 2023
;; MSG SIZE rcvd: 129
pod "dig" deleted
There was a problem hiding this comment.
I've updated the docs to include TCP.
There was a problem hiding this comment.
I created tigera/docs#1096. Let's see what they say.
There was a problem hiding this comment.
FYI tigera/docs#1096 (comment)
I think the discussion will be more productive if you move it to the main project repo.
There was a problem hiding this comment.
wallrj
force-pushed
the
network-policy
branch
from
a4c017c to
58ce41a
Compare
Co-authored-by: Josh Soref <2119212+jsoref@users.noreply.github.com> Signed-off-by: Richard Wall <wallrj@users.noreply.github.com>
wallrj
force-pushed
the
network-policy
branch
from
58ce41a to
a6fb75d
Compare
In cert-manager/website#1344 (comment) we're discussing whether the default Calico deny policy should also allow TCP DNS queries. Is there a reason to block them?
|
/lgtm |
|
@hawksight: adding LGTM is restricted to approvers and reviewers in OWNERS files. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I think this is a good decision for now allowing users to implement their own best practice
Perhaps the community has some good examples or comments on these that we ca use to improve later on. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hawksight, inteon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
the
approved
Thanks for all your documentation reviews Peter, for example: * cert-manager#1344 * cert-manager#1338 * cert-manager#1331 We'd like you to be able to `lgtm` future PRs, so we're adding you to the reviewers list. Signed-off-by: Richard Wall <richard.wall@venafi.com>
In cert-manager/website#1344 (comment) we're discussing whether the default Calico deny policy should also allow TCP DNS queries. Is there a reason to block them?
In cert-manager/website#1344 (comment) we're discussing whether the default Calico deny policy should also allow TCP DNS queries. Is there a reason to block them?
Thanks for all your documentation reviews Peter, for example: * cert-manager#1344 * cert-manager#1338 * cert-manager#1331 We'd like you to be able to `lgtm` future PRs, so we're adding you to the reviewers list. Signed-off-by: Richard Wall <richard.wall@venafi.com>
Preview: https://deploy-preview-1344--cert-manager-website.netlify.app/docs/installation/best-practice/#network-policy
I've tried to document all the network interactions of a typical cert-manager installation.
I've also added some (incomplete) Calico examples, but I'm not sure whether those make the document rather unreadable.I'm inclined to remove the Calico examples for brevity.I removed the Calico examples.
Fixes: #2334
xref: