Created
July 21, 2020 06:40
-
-
Save pchaigno/3f91b77de10429e592421709c8131e74 to your computer and use it in GitHub Desktop.
CiliumClusterwideNetworkPolicy to lock down GKE nodes with the host firewall.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: "cilium.io/v2" | |
| kind: CiliumClusterwideNetworkPolicy | |
| description: "Lock down nodes on GKE. USE AT YOUR OWN RISK." | |
| metadata: | |
| name: "lock-down-gke" | |
| spec: | |
| nodeSelector: | |
| matchLabels: | |
| type: worker | |
| ingress: | |
| # Only ICMP echo/reply messages should be dropped if this is commented. | |
| - fromEntities: | |
| - remote-node | |
| - health | |
| - fromEntities: | |
| - world | |
| toPorts: | |
| - ports: | |
| # SSH access to the VMs | |
| - port: "22" | |
| protocol: TCP | |
| # Remote Desktop access to the VMs | |
| - port: "3389" | |
| protocol: TCP | |
| - fromEntities: | |
| - remote-node | |
| toPorts: | |
| - ports: | |
| # VXLAN tunnels between nodes | |
| - port: "8472" | |
| protocol: UDP | |
| # etcd connections | |
| - port: "2379" | |
| protocol: TCP | |
| - port: "2380" | |
| protocol: TCP | |
| # kubelet | |
| - port: "10250" | |
| protocol: TCP | |
| # Aggregator of resource usages on GKE. | |
| - fromEndpoints: | |
| - matchLabels: | |
| k8s:io.kubernetes.pod.namespace: kube-system | |
| k8s-app: metrics-server | |
| toPorts: | |
| - ports: | |
| - port: "10255" | |
| protocol: TCP | |
| # Health checks | |
| - fromEntities: | |
| - remote-node | |
| - health | |
| toPorts: | |
| - ports: | |
| - port: "4240" | |
| protocol: TCP | |
| egress: | |
| # Only ICMP echo/reply messages should be dropped if this is commented. | |
| - toEntities: | |
| - remote-node | |
| - health | |
| # Access to Google servers & API. | |
| - toEntities: | |
| - world | |
| toPorts: | |
| - ports: | |
| - port: "443" | |
| protocol: TCP | |
| - toCIDR: | |
| - 169.254.169.254/32 | |
| toPorts: | |
| - ports: | |
| - port: "53" | |
| protocol: UDP | |
| - port: "80" | |
| protocol: TCP | |
| - port: "123" | |
| protocol: UDP | |
| - port: "67" | |
| protocol: UDP | |
| # Traffic to GKE's L7 LB | |
| - toEndpoints: | |
| - matchLabels: | |
| k8s:io.kubernetes.pod.namespace: kube-system | |
| k8s-app: glbc | |
| toPorts: | |
| - ports: | |
| - port: "8080" | |
| protocol: TCP | |
| # DNS traffic to kube-dns | |
| - toEndpoints: | |
| - matchLabels: | |
| k8s:io.kubernetes.pod.namespace: kube-system | |
| k8s-app: kube-dns | |
| toPorts: | |
| - ports: | |
| - port: "8080" | |
| protocol: TCP | |
| - port: "53" | |
| protocol: UDP | |
| - port: "10054" | |
| protocol: TCP | |
| - port: "10055" | |
| protocol: TCP | |
| - port: "8081" | |
| protocol: TCP | |
| # Aggregator of resource usages on GKE. | |
| - toEndpoints: | |
| - matchLabels: | |
| k8s:io.kubernetes.pod.namespace: kube-system | |
| k8s-app: metrics-server | |
| toPorts: | |
| - ports: | |
| - port: "443" | |
| protocol: TCP | |
| - toEntities: | |
| - remote-node | |
| toPorts: | |
| - ports: | |
| # VXLAN tunnels between nodes | |
| - port: "8472" | |
| protocol: UDP | |
| # etcd connections | |
| - port: "2379" | |
| protocol: TCP | |
| - port: "2380" | |
| protocol: TCP | |
| # kube-api server | |
| - port: "6443" | |
| protocol: TCP | |
| # kubelet | |
| - port: "10250" | |
| protocol: TCP | |
| # Health checks | |
| - toEntities: | |
| - remote-node | |
| - health | |
| toPorts: | |
| - ports: | |
| - port: "4240" | |
| protocol: TCP | |
| # Required for host-networking pods of the connectivity-check | |
| - toEndpoints: | |
| - matchLabels: | |
| name: echo-b | |
| toPorts: | |
| - ports: | |
| - port: "80" | |
| protocol: TCP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment