🔒️ Hardening - use network policies for tighter control over cluster …

…traffic
ndebuhr · Jul 6, 2021 · 097d2ef · 097d2ef
1 parent 079a078
commit 097d2ef
Show file tree

Hide file tree

Showing 12 changed files with 387 additions and 0 deletions.
diff --git a/helm/templates/certbot.yaml b/helm/templates/certbot.yaml
@@ -6,6 +6,9 @@ metadata:
   name: certbot-init
 spec:
   template:
+    metadata:
+      labels:
+        app: certbot
     spec:
       serviceAccountName: sa-ssl
       initContainers:
@@ -53,6 +56,9 @@ spec:
   jobTemplate:
     spec:
       template:
+        metadata:
+          labels:
+            app: certbot
         spec:
           serviceAccountName: sa-ssl
           initContainers:
@@ -97,6 +103,9 @@ metadata:
   name: certbot-init
 spec:
   template:
+    metadata:
+      labels:
+        app: certbot
     spec:
       serviceAccountName: sa-ssl
       initContainers:
@@ -144,6 +153,9 @@ spec:
   jobTemplate:
     spec:
       template:
+        metadata:
+          labels:
+            app: certbot
         spec:
           serviceAccountName: sa-ssl
           initContainers:
@@ -182,6 +194,19 @@ spec:
           restartPolicy: OnFailure
 {{- end }}
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: certbot
+spec:
+  podSelector:
+    matchLabels:
+      app: certbot
+  policyTypes:
+  - Egress
+  egress:
+  - {}
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:

diff --git a/helm/templates/code.yaml b/helm/templates/code.yaml
@@ -103,6 +103,25 @@ spec:
           claimName: code-dind-pvc
       restartPolicy: Always
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: code-server
+spec:
+  podSelector:
+    matchLabels:
+      app: code
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: keycloak-gatekeeper
+  egress:
+  - {}
+---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:

diff --git a/helm/templates/default-deny-net.yaml b/helm/templates/default-deny-net.yaml
@@ -0,0 +1,17 @@
+# By default, deny everything except DNS
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  - Ingress
+  egress:
+  - to:
+    ports:
+    - port: 53
+      protocol: TCP
+    - port: 53
+      protocol: UDP
diff --git a/helm/templates/guacamole.yaml b/helm/templates/guacamole.yaml
@@ -41,6 +41,28 @@ spec:
             memory: "2Gi"
       restartPolicy: Always
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: guacd
+spec:
+  podSelector:
+    matchLabels:
+      app: guacd
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: guacamole
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: guacamole
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -95,6 +117,25 @@ spec:
         resources: {{- toYaml .Values.components.guacamole.resources | nindent 10 }}
       restartPolicy: Always
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: guacamole
+spec:
+  podSelector:
+    matchLabels:
+      app: guacamole
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: keycloak-gatekeeper
+  egress:
+  - {}
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -166,6 +207,28 @@ spec:
           name: guacamole-init-sql
           defaultMode: 0777
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: guacamole-postgresql
+spec:
+  podSelector:
+    matchLabels:
+      app: guacamole-postgresql
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: guacamole
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: guacamole
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:

diff --git a/helm/templates/haproxy.yaml b/helm/templates/haproxy.yaml
@@ -53,6 +53,28 @@ spec:
           defaultMode: 0400
       restartPolicy: Always
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: haproxy
+spec:
+  podSelector:
+    matchLabels:
+      app: haproxy
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - {}
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: keycloak-gatekeeper
+    - podSelector:
+        matchLabels:
+          app: keycloak
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:

diff --git a/helm/templates/jupyter.yaml b/helm/templates/jupyter.yaml
@@ -44,6 +44,25 @@ spec:
           claimName: jupyter-pvc
       restartPolicy: Always
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: jupyter
+spec:
+  podSelector:
+    matchLabels:
+      app: jupyter
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: keycloak-gatekeeper
+  egress:
+  - {}
+---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:

diff --git a/helm/templates/keycloak-seeding.yaml b/helm/templates/keycloak-seeding.yaml
@@ -43,6 +43,22 @@ spec:
       restartPolicy: Never
   backoffLimit: 32
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: master-keycloak-init
+spec:
+  podSelector:
+    matchLabels:
+      app: master-keycloak-init
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: keycloak
+---
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -87,6 +103,22 @@ spec:
       restartPolicy: Never
   backoffLimit: 32
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: client-scopes-keycloak-init
+spec:
+  podSelector:
+    matchLabels:
+      app: client-scopes-keycloak-init
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: keycloak
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -315,6 +347,22 @@ spec:
       restartPolicy: Never
   backoffLimit: 32
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ .name }}-keycloak-init
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ .name }}-keycloak-init
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: keycloak
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:

diff --git a/helm/templates/keycloak.yaml b/helm/templates/keycloak.yaml
@@ -40,6 +40,22 @@ spec:
         persistentVolumeClaim:
           claimName: keycloak-postgres-pvc
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: keycloak-postgres
+spec:
+  podSelector:
+    matchLabels:
+      app: keycloak-postgres
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: keycloak
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -108,6 +124,25 @@ spec:
         resources: {{- toYaml .Values.components.keycloak.resources | nindent 10 }}
       restartPolicy: Always
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: keycloak
+spec:
+  podSelector:
+    matchLabels:
+      app: keycloak
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - {}
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app: keycloak-postgres
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -172,6 +207,25 @@ spec:
       {{- end }}
       restartPolicy: Always
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: keycloak-gatekeeper
+spec:
+  podSelector:
+    matchLabels:
+      app: keycloak-gatekeeper
+  policyTypes:
+  - Egress
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: haproxy
+  egress:
+  - {}
+---
 apiVersion: v1
 kind: Service
 metadata: