Why is it wise to block internet traffic on your Kubernetes worker nodes?
Happy Kubernetes.

Why is it wise to block internet traffic on your Kubernetes worker nodes?

Mutha Nagavamsi Mutha Nagavamsi

Mutha Nagavamsi

Engineering is hard ? I simplify it for you ? You get Tech, Kubernetes, Devops, Cloud & AI updates ? 81361 Friends all socials ? My Email ID → is in the about section ??

发布日期: 2024年6月15日
+ 关注

Not the entire internet traffic, some trusted URL's should be allowed access. To run your microservices pods.

On our production clusters, we only ALLOW access to trusted public URL's.

Quick note. If you resonate with my work, consider checking out my Youtube and Medium. Appreciate your support. Thank you.

Real-world Kubernetes Security Use case

Threat actors can get access to API Server endpoint. That's bad. I know. The bad guys often find ways to get this. Because it is one of the common ways of compromising an insecure Kubernetes cluster.

Once done, threat actors second step is scheduling a malicious pod on the cluster.

The intent is likely about escaping from malicious container to worker node. This is just one use case. Many things are possible once they launch a malicious pod. Some of them include.

  • Database access (steal data.)
  • Database access (to corrupt data)
  • DOS Attack from inside cluster (service disruption) etc.

As a part of step 3 the attacker will attempt to download a second stage script from the internet. In some cases, the attacker can even attempt to download scripts from inside the pod too.

Running it means "game over" for us.

With multiple replicas of the malicious pod, this can get us into whole new level of trouble.

领英推荐

And that's where blocking outgoing internet traffic can help.

Stop internet access on your pods.
A sketch to stop internet access to your pods on a Kubernetes cluster.

Stopping outgoing internet access can prevent so many security risks. This will help you prevent further damage.

Blocking internet: Is it a convenient approach? No, not at all.

But it is certainly a proactive approach to secure your cluster.

A wise choice to help you restore hope. To get things back on track if bad things happen. What do you think?

That's it for today.

And here are some of the LinkedIn posts published last week.

  1. Tail multiple pod logs and color code them.
  2. Here's a quick Kubernetes question.
  3. And here's the latest video I created talking Kubernetes troubleshooting - Part 1. You can check part 2 content from here.

Alright, that's it for today.

Hope this is useful. Now, it's time to relax. Happy weekend. A REPOST helps everyone.

Mutha's Newsletter Mutha's Newsletter

Mutha's Newsletter

19,105 位关注者

订阅
Giuseppe Santoro ??

Senior Software Engineer | Building developer tooling & infrastructure | Kubernetes expert (CKA certified) | Technical mentor | Writer @ CloudNativeEngineer

9 个月

Great article. Any suggestions on how to block Internet traffic? Network policies, Ip tables,... ?
回复
Rajagopal Prabhu

Technical Lead at Rakuten India

9 个月

Mutha Nagavamsi its good to block internet to all nodes. A good netpol also ensures the security between namespaces and applications. How about using proxy for connecting internet ? Anomaly detection and alerting is must to go with all clusters compromising time and cost for these will result in security issues.
回复
3 次回应
查看更多评论

要查看或添加评论,请登录

Mutha Nagavamsi的更多文章

社区洞察

其他会员也浏览了