🛠 k8s Secure Network Policy

Salute, I decided to share a useful resource about network security policies as a continuation of the previous topic. You can check the editor here.

networkpolicy.io is an interactive web editor for Kubernetes, including policies for Cilium. The resource itself helps to design and carry out their checkout for the config.

Possibilities

• Interactive selection of namespace, podSelector/ namespaceSelector, ingress/ egress rules, where the editor collects the manifest

• Policies show a graph in which pods and namespaces can communicate, and which threads are blocked

• The tutorial demonstrates how to implement a zero-trust baseline with a description of podSelector/ namespaceSelector, ingress/ egress, add-only principles, etc.

• It is possible to download a YAML manifest to check the operation of cross-namespace rules, as well as calculate security vulnerabilities

• Security Score with a policy assessment for the cluster based on the principles of least privilege and zero trust, that is, basic checks for default-deny, ingress/egress coverage, etc.

• The editor accepts flow logs from Hubble/Cilium and builds the necessary policies based on the flows

• Policies can be applied in any cluster where CNI is supported with L7 functions

Why do we need this?

• Helps move away from default allow to conscious default-deny without the risk of denial of service

• Reduces the number of common errors, such as wrong namespace, wrong selector, lack of DNS permissions, etc.

• Explains with an example and a graph how and what works, how to fix it

• Teaches and helps you level up faster than the “poke” or AI method

#appsec #toolchain #reco #specialty