Namespace Security Policies

Although Kubernetes network policies are useful in restricting the communication between pods in a namespace, you can only control ingress and egress traffic from a selected set of pods. As an administrator, these policies can be complex to use, specifically if you are interested in end-to-end traffic flow based on application or security requirements.

For end-to-end traffic flow, CN2 supports namespace security policies. Namespace security policies are administrative-centric policies. These policies allows you to define polices from a source endpoint to a destination endpoint within a namespace. With Namespace security policies, you can allow or deny traffic between pods in a namespace or to an external IP address.

Namespace security policies have the following characteristics:

• You can only define security polices within a namespace. By default, security policies can only manage traffic within its own namespace.

• When you define a security policy, the policy is applied on all pods in a namespace.

• By default, if a pod does not match any user-defined policies, traffic is denied.

• You define security policies within a namespace using rules. Each rule has a source endpoint and destination endpoint. For ease of use, the security polices use the same endpoints as Kubernetes network policies (namespace, podselector, IPblock).

• Namespace security polices can contain one or multiple rules. For example:

• Namespace security policies support two actions: pass and deny. The default action is deny. Actions are per-policy, not per rule. This means that any rules you define follows the same action.

• For each rule, you can define the destination ports or destination port range (combination of source, destination, and port). For example, let's say you want particular IP address or source to access the server on a specified destination port or range of ports.

A Namespace security policy consists of the following sections. See: Example of a Namespace Security Policy.

• Spec

  The spec field contains the rules and actions you need to define a security policy. The rules contain a list of user defined source and destination matches.

  The rules are categorized, as follows:

  • SrcEP: List of source endpoints for a rule match criteria (podSelector or ipBlock).

  • DstEP: List of destination endpoints for a rule match criteria (podSelector or ipBlock).

  • Ports: List of destination ports to be matched for this rule (contains a combination of ports and protocol).

• Action: Action to be taken if any policy rule matches (pass or deny). The default action is deny.

• .

• Policy Priority: Namespace Security Polices and Kubernetes Network Policies
• Example of a Namespace Security Policy

Policy Priority: Namespace Security Polices and Kubernetes Network Policies

Because CN2 uses both Kubernetes network polices and namespace security policies, we use a sequence to determine how rules are processed between the two different policies.

Figure 1 shows how Kubernetes network policies along with namespace security policies are prioritized. The rules for namespace security polices are prioritized first, followed by Kubernetes network policies.

Note:

All Namespace security policies are user-defined.

Each policy is prioritized, as follows:

1. Namespace Security Policies (Deny): By default, if a pod does not match any policies in CN2, traffic is denied. The deny policies are given a higher priority over the allow policies.

2. Namespace Security Policies (Allow): If you do not define a policy in CN2, traffic is allowed between all pods in the corresponding namespace.

3. Kubernetes Network Polices: By default, a Kubernetes network policy allows traffic from all sources.

4. Default (Deny): If a pod does not match any Kubernetes network policies, traffic is denied.

Figure 1: Policy Priority: Namespace Security Polices and Kubernetes Network Policies