CKS Exam Series #11 NetworkPolicies Default Deny and Allowlist

Kubernetes CKS Example Exam Question Series

CKS Exam Series | CKA Exam Series | CKAD Exam Series

#####################################

THIS CHALLENGE WON’T BE UPDATED HERE AND MOVED TO:

https://killercoda.com/killer-shell-cks

######################################

Content

1. Create Cluster & Security Best Practices
2. Pods, Secrets and ServiceAccounts
3. Immutable Pods
4. Crash that Apiserver & check logs
5. ImagePolicyWebhook / AdmissionController
6. Users and CertificateSigningRequests
7. ServiceAccount Token Mounting
8. Role Based Access Control (RBAC)
9. Role Based Access Control (RBAC) v2
10. Container Hardening
11. NetworkPolicies (Default Deny + Allowlist)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

→ Check out the FULL CKS COURSE on Udemy ←

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rules!

1. Be fast, avoid creating yaml manually from scratch
2. Use only kubernetes.io/docs for help.
3. Check our solution after you did yours. You probably have a better one!

Todays Task: Create a default deny NetworkPolicy and then allowlist more traffic

Test every of your polices.

1. Create Namespace applications
2. By default, all Pods in Namespace applications should NOT be able to have any outgoing traffic
3. By default, all Pods in Namespace applications should still be able to use the Kubernetes DNS
4. Pods in Namespace applications with label very=important should be able to have any outgoing traffic
5. Incoming traffic won’t be enforced by the NetworkPolicies
6. Check out https://editor.cilium.io

Solution

1. Namespace

alias k=kubectl
k create ns applications

To test we create a Pod:

k -n applications run test --image=nginx
k -n applications exec test -- curl killer.sh # YES
k -n applications exec test -- sh -c "apt-get update && apt-get -y install dnsutils" # to use nslookup

2. Egress Default Deny

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: applications
spec:
  podSelector: {}
  policyTypes:
    - Egress

And to test:

k -n applications exec test -- nslookup killer.sh # NO
ping killer.sh # get IP
k -n applications exec test -- curl killer.sh # NO
k -n applications exec test -- curl 35.227.196.29 # NO

3. Allow DNS

We can adjust the existing NP or create another one. Here we create a new one.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns
  namespace: applications
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP

And to test:

k -n applications exec test -- nslookup killer.sh # YES
k -n applications exec test -- nslookup kubernetes.default # YES
k -n applications exec test -- curl killer.sh # NO
k -n applications exec test -- curl 35.227.196.29 # NO

4. Allow all egress for some Pods

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress
  namespace: applications
spec:
  podSelector:
    matchLabels:
      very: important
  policyTypes:
    - Egress
  egress:
    - to:
      - ipBlock:
          cidr: 0.0.0.0/0

And to test:

k -n applications exec test -- curl killer.sh # NO
k -n applications label pod test very=important
k -n applications exec test -- curl killer.sh # YES

5. Ignore ingress traffic

Nothing to do because we didn’t specify any NPs for ingress traffic.

6. NetworkPolicy editor

https://editor.cilium.io

This one is awesome for learning and understanding, just remember that you can’t use it in the exam.

You have a different solution?

Let us know by writing a comment below!

— — — The END — — —

So much for this session. See you at the next one and happy learning!

Ready to join Killer Shell?

FULL CKS COURSE

LINK

…or the CKS SIMULATOR

https://killer.sh/cks