Skip to content

Commit

Permalink
feat: Update cluster defaults package with network policies (#866)
Browse files Browse the repository at this point in the history 
Summary

In order to comply with the nist-sp-800-53-r5-require-namespace-network-policies constraint (of [NIST SP 800-53 Rev. 5 Policy Controller bundle](https://github.com/GoogleCloudPlatform/gke-policy-library/tree/main/anthos-bundles/nist-sp-800-53-r5)), cluster-defaults package required updates to add network policies to the gateway-infra and default namespaces.

Details of gateway-infra namespace Network Policy:
Added cluster-defaults/admin-namespaces/networkpolicy.yaml file to implement network policy in the gateway-infra namespace.

Network policies implement following rules:
- Allow ingress within namespace
- Allow ingress from lb health check
- Allow egress within namespace
- Allow egress to metadata server
- Allow egress for GCP API
- Allow egress to private IP ranges (includes K8S cluster)

Details of default namespace Network Policy:
Added cluster-defaults/default-namespace/networkpolicy.yaml file to implement network policy in the default namespace

Network policies implement following rules:
- Allow ingress within namespace
- Allow egress within namespace
  • Loading branch information
@borkodjurkovic-ssc
borkodjurkovic-ssc authored Mar 13, 2024
1 parent 2b5ff79 commit 2bfcd83
Show file tree
Hide file tree
Showing 4 changed files with 235 additions and 5 deletions.
5 changes: 4 additions & 1 deletion solutions/gke/kubernetes/cluster-defaults/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ Resources list:

- Gateway Controller
- Gateway namespace
- Network policies in the Gateway namespace
- Gateway using an external global load balancer and a SSL certificate
- Attaches an SSL Policy
- Attaches a Cloud Armor and logging policy
- Attaches a Cloud Armor policy
- Default network policy in the `default` namespace
- Enables logging for traffic allowed / blocked by Network Policies
139 changes: 139 additions & 0 deletions solutions/gke/kubernetes/cluster-defaults/admin-namespaces/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,139 @@
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#########
# AC-4, AC-4(21), SC-7(5), SC-7(9), SC-7(11) - Network Policies to allow or deny ingress and egress traffic to/from gateway-infra namespace
# Allow ingress within namespace
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: gateway-infra
name: allow-ingress-within-namespace
spec:
podSelector: {}
# AC-4, AC-4(21), SC-7(5), SC-7(9), SC-7(11)
ingress:
# From all pods within the same namespace
- from:
- podSelector: {}
---
# Allow ingress from lb health check
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: gateway-infra
name: allow-ingress-from-lb-health-check
spec:
podSelector: {}
# AC-4, AC-4(21), SC-7(5), SC-7(9), SC-7(11)
ingress:
- from:
- ipBlock:
cidr: 35.191.0.0/16
- from:
- ipBlock:
cidr: 130.211.0.0/22
- from:
- ipBlock:
cidr: 209.85.152.0/22
- from:
- ipBlock:
cidr: 209.85.204.0/22
---
# Allow egress within namespace
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: gateway-infra
name: allow-egress-within-namespace
spec:
podSelector: {}
# AC-4, AC-4(21), SC-7(5), SC-7(9), SC-7(11)
egress:
# To all pods within the same namespace
- to:
- podSelector: {}
---
# Allow egress to metadata server
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: gateway-infra
name: allow-egress-to-metadata-server
spec:
podSelector: {}
# AC-4, AC-4(21), SC-7(5), SC-7(9), SC-7(11)
egress:
# Network policy and Workload Identity
# For clusters running GKE version 1.21.0-gke.1000 and later, allow egress to 169.254.169.252/32 on port 988
# For clusters running GKE Dataplane V2, allow egress to 169.254.169.254/32 on port 80
# Allow access to NodeLocal DNSCache on ip 169.254.20.10 and port 53
- to:
- ipBlock:
cidr: 169.254.169.252/32
ports:
- port: 988
- to:
- ipBlock:
cidr: 169.254.169.254/32
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
- port: 80
- to:
- ipBlock:
cidr: 169.254.20.10/32
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
---
# Allow egress for GCP API
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
namespace: gateway-infra
name: allow-egrees-to-gcp-api
spec:
podSelector: {}
# AC-4, AC-4(21), SC-7(5), SC-7(9), SC-7(11)
egress:
- to:
- ipBlock:
cidr: 10.255.255.254/32
ports:
- port: 443
---
# Allow egress to private IP ranges (includes K8S cluster)
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-private-egress
spec:
podSelector: {}
# AC-4, AC-4(21), SC-7(5), SC-7(9), SC-7(11)
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/8
- to:
- ipBlock:
cidr: 192.168.0.0/16
- to:
- ipBlock:
cidr: 172.16.0.0/20
42 changes: 42 additions & 0 deletions solutions/gke/kubernetes/cluster-defaults/default-namespace/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#########
# AC-4, AC-4(21), SC-7(5), SC-7(9), SC-7(11) - Network Policies to allow or deny ingress and egress traffic to/from default namespace
# Allow ingress within namespace
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: default
name: allow-ingress-within-default-namespace
spec:
podSelector: {}
# AC-4, AC-4(21), SC-7(5), SC-7(9), SC-7(11)
ingress:
# From all pods within the same namespace
- from:
- podSelector: {}
---
# Allow egress within namespace
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: default
name: allow-egress-within-default-namespace
spec:
podSelector: {}
# AC-4, AC-4(21), SC-7(5), SC-7(9), SC-7(11)
egress:
# To all pods within the same namespace
- to:
- podSelector: {}
54 changes: 50 additions & 4 deletions solutions/gke/kubernetes/cluster-defaults/securitycontrols.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,26 @@
<!-- BEGINNING OF SECURITY CONTROLS LIST -->
|Security Control|File Name|Resource Name|
|---|---|---|
|AC-4|./admin-namespaces/networkpolicy.yaml|allow-egrees-to-gcp-api|
|AC-4|./admin-namespaces/networkpolicy.yaml|allow-egress-to-metadata-server|
|AC-4|./admin-namespaces/networkpolicy.yaml|allow-egress-within-namespace|
|AC-4|./admin-namespaces/networkpolicy.yaml|allow-ingress-from-lb-health-check|
|AC-4|./admin-namespaces/networkpolicy.yaml|allow-ingress-within-namespace|
|AC-4|./admin-namespaces/networkpolicy.yaml|allow-ingress-within-namespace|
|AC-4|./admin-namespaces/networkpolicy.yaml|allow-private-egress|
|AC-4|./default-namespace/networkpolicy.yaml|allow-egress-within-default-namespace|
|AC-4|./default-namespace/networkpolicy.yaml|allow-ingress-within-default-namespace|
|AC-4|./default-namespace/networkpolicy.yaml|allow-ingress-within-default-namespace|
|AC-4(21)|./admin-namespaces/networkpolicy.yaml|allow-egrees-to-gcp-api|
|AC-4(21)|./admin-namespaces/networkpolicy.yaml|allow-egress-to-metadata-server|
|AC-4(21)|./admin-namespaces/networkpolicy.yaml|allow-egress-within-namespace|
|AC-4(21)|./admin-namespaces/networkpolicy.yaml|allow-ingress-from-lb-health-check|
|AC-4(21)|./admin-namespaces/networkpolicy.yaml|allow-ingress-within-namespace|
|AC-4(21)|./admin-namespaces/networkpolicy.yaml|allow-ingress-within-namespace|
|AC-4(21)|./admin-namespaces/networkpolicy.yaml|allow-private-egress|
|AC-4(21)|./default-namespace/networkpolicy.yaml|allow-egress-within-default-namespace|
|AC-4(21)|./default-namespace/networkpolicy.yaml|allow-ingress-within-default-namespace|
|AC-4(21)|./default-namespace/networkpolicy.yaml|allow-ingress-within-default-namespace|
|AU-12|./gateway/backendpolicy/backendpolicy.yaml|workload-name-cloud-armor|
|AU-12|./gateway/backendpolicy/backendpolicy.yaml|workload-name-cloud-armor|
|AU-12|./network-logging.yaml|default|
Expand All @@ -21,13 +41,39 @@
|SC-5(2)|./gateway/gateway-global.yaml|external-gateway-name|
|SC-5(2)|./gateway/gcpgatewaypolicy.yaml|external-gateway-name-policy|
|SC-5(2)|./gateway/gcpgatewaypolicy.yaml|external-gateway-name-policy|
|SC-7(11)|./admin-namespaces/networkpolicy.yaml|allow-egrees-to-gcp-api|
|SC-7(11)|./admin-namespaces/networkpolicy.yaml|allow-egress-to-metadata-server|
|SC-7(11)|./admin-namespaces/networkpolicy.yaml|allow-egress-within-namespace|
|SC-7(11)|./admin-namespaces/networkpolicy.yaml|allow-ingress-from-lb-health-check|
|SC-7(11)|./admin-namespaces/networkpolicy.yaml|allow-ingress-within-namespace|
|SC-7(11)|./admin-namespaces/networkpolicy.yaml|allow-ingress-within-namespace|
|SC-7(11)|./admin-namespaces/networkpolicy.yaml|allow-private-egress|
|SC-7(11)|./default-namespace/networkpolicy.yaml|allow-egress-within-default-namespace|
|SC-7(11)|./default-namespace/networkpolicy.yaml|allow-ingress-within-default-namespace|
|SC-7(11)|./default-namespace/networkpolicy.yaml|allow-ingress-within-default-namespace|
|SC-7(5)|./admin-namespaces/networkpolicy.yaml|allow-egrees-to-gcp-api|
|SC-7(5)|./admin-namespaces/networkpolicy.yaml|allow-egress-to-metadata-server|
|SC-7(5)|./admin-namespaces/networkpolicy.yaml|allow-egress-within-namespace|
|SC-7(5)|./admin-namespaces/networkpolicy.yaml|allow-ingress-from-lb-health-check|
|SC-7(5)|./admin-namespaces/networkpolicy.yaml|allow-ingress-within-namespace|
|SC-7(5)|./admin-namespaces/networkpolicy.yaml|allow-ingress-within-namespace|
|SC-7(5)|./admin-namespaces/networkpolicy.yaml|allow-private-egress|
|SC-7(5)|./default-namespace/networkpolicy.yaml|allow-egress-within-default-namespace|
|SC-7(5)|./default-namespace/networkpolicy.yaml|allow-ingress-within-default-namespace|
|SC-7(5)|./default-namespace/networkpolicy.yaml|allow-ingress-within-default-namespace|
|SC-7(9)|./admin-namespaces/networkpolicy.yaml|allow-egrees-to-gcp-api|
|SC-7(9)|./admin-namespaces/networkpolicy.yaml|allow-egress-to-metadata-server|
|SC-7(9)|./admin-namespaces/networkpolicy.yaml|allow-egress-within-namespace|
|SC-7(9)|./admin-namespaces/networkpolicy.yaml|allow-ingress-from-lb-health-check|
|SC-7(9)|./admin-namespaces/networkpolicy.yaml|allow-ingress-within-namespace|
|SC-7(9)|./admin-namespaces/networkpolicy.yaml|allow-ingress-within-namespace|
|SC-7(9)|./admin-namespaces/networkpolicy.yaml|allow-private-egress|
|SC-7(9)|./default-namespace/networkpolicy.yaml|allow-egress-within-default-namespace|
|SC-7(9)|./default-namespace/networkpolicy.yaml|allow-ingress-within-default-namespace|
|SC-7(9)|./default-namespace/networkpolicy.yaml|allow-ingress-within-default-namespace|
|SC-8|./gateway/gateway-global.yaml|external-gateway-name|
|SC-8|./gateway/gateway-global.yaml|external-gateway-name|
|SC-8|./gateway/gcpgatewaypolicy.yaml|external-gateway-name-policy|
|SC-8|./gateway/gcpgatewaypolicy.yaml|external-gateway-name-policy|
|SI-4|./network-logging.yaml|default|
|SI-4|./network-logging.yaml|default|
|SI-4(10)|./gateway/gateway-global.yaml|external-gateway-name|
|SI-4(10)|./gateway/gateway-global.yaml|external-gateway-name|

<!-- END OF SECURITY CONTROLS LIST -->

0 comments on commit 2bfcd83

Please sign in to comment.