Network Policies

Network policies allow specifying whether and how different groups of Pods running in a Kubernetes cluster can communicate with one another. In other words, they can be used to control and limit the ingress and egress traffic to and from Pods. Naturally, network policies can be used to restrict which WireGuard peers have access to which Pods and vice-versa. Support for Kubernetes network policies can be easily added to any cluster running Kilo by deploying a utility such as kube-router.

Installation

The following command adds network policy support by deploying kube-router to work alongside Kilo:

kubectl apply -f kubectl apply -f https://raw.githubusercontent.com/squat/kilo/master/manifests/kube-router.yaml

Examples

Network policies could now be deployed to the cluster. Consider the following example scenarios.

Deny All Ingress Except WireGuard

Imagine that an organization wants to limit access to a namespace to only allow traffic from the WireGuard VPN. Access to a namespace could be limited to only accept ingress from a CIDR range with:

cat <<'EOF' | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-ingress-except-wireguard
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 10.5.0.0/16 # The WireGuard mesh/s CIDR.
EOF

Deny Egress to WireGuard Peers

Consider the case where Pods running in one namespace should not have access to resources in the WireGuard mesh, e.g. because the Pods are potentially untrusted. In this scenario, a policy to restrict access to the WireGuard peers could be created with:

cat <<'EOF' | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-egress-to-wireguard
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.5.0.0/16 # The WireGuard mesh's CIDR.
EOF