CODEWITHSUNDEEP
securitykubernetesnetwork-programming
hobyte
hobyte

Reputation: 625

blacklist IP in kubernetes security policy

I read through the kubernetes network policy documentation and stumbled upon this statement:

What you can't do with network policies (at least, not yet)

The ability to explicitly deny policies (currently the model for NetworkPolicies are deny by default, with only the ability to add allow rules).

Is there a way around this limiting factor or any add on to kubernetes that allows for blacklisting IPs?

Upvotes: 0

Views: 809

Answers (1)

CodeWizard
CodeWizard

Reputation: 141956

You can use 3rd party for this task.

Few examples:

  1. https://docs.aws.amazon.com/eks/latest/userguide/restrict-service-external-ip.html

  2. https://istio.io/v1.1/docs/tasks/policy-enforcement/denial-and-list/#ip-based-whitelists-or-blacklists

apiVersion: config.istio.io/v1alpha2
kind: listchecker
metadata:
  name: whitelistip
spec:
  # providerUrl: ordinarily black and white lists are maintained
  # externally and fetched asynchronously using the providerUrl.
  overrides: ["10.57.0.0/16"]  # overrides provide a static list
  blacklist: false
  entryType: IP_ADDRESSES
---
apiVersion: config.istio.io/v1alpha2
kind: listentry
metadata:
  name: sourceip
spec:
  value: source.ip | ip("0.0.0.0")
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: checkip
spec:
  match: source.labels["istio"] == "ingressgateway"
  actions:
  - handler: whitelistip.listchecker
    instances:
    - sourceip.listentry
---
  1. With nginx
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    
    #
    # This is the relevant part
    #
    
    nginx.ingress.kubernetes.io/whitelist-source-range: 49.36.X.X/32
    # depending on the ingress controller version the annotation
    # above may need to be modified to remove the prefix nginx. i.e.
    # ingress.kubernetes.io/whitelist-source-range: 49.36.X.X/32
spec:
  rules:
  - host: web.manitestdomain.com
    http:
      paths:
      - path: /(.*)
        pathType: Prefix
        backend:
          service:
            name: web
            port:
              number: 80

Upvotes: 1

Related Questions