Network Policies for Namespaces in Kubernetes

Let me begin with some context on why I thought of writing about this. Recently I attended a meetup on “Securing a Kubernetes Cluster”. One of the key takeaways from this meetup is blocking access to one namespace from another(Using Network Policies). Some of you may wonder why is this a topic worth exploring. To answer this question let’s look at a common attack vector observed in the hacking world.

Let’s say we have one Kubernetes cluster hosting multiple environments. Multiple environments in the cluster; Separated by namespaces. As in many other cases, our production application is bug-free and thoroughly tested to be free from vulnerabilities as well. But our development environment(dev) sees many changes rapidly. Because of this, the Dev server is not always bug-free and may contain vulnerabilities. Attackers may use this to their advantage. Since they cannot directly access the production environment, they can initially gain access to the Dev environment. After that they can try to penetrate in to the production environment through that. Or stay in Dev and do their nefarious activities from there.

What next? The attackers can either actively attack the production environment. Or they can remain undetected for as long as they can and eavesdrop on the production environment. This depends on their motive. So, for this reason we need to create network policies. Let’s take a closer look on this with a demo.

Expand the sections below to learn more on this.

I hope that the above content has given you some insight about network policies being used on namespaces. Questions? Comments? post them down below. If you found this interesting please check out my featured blogs here.