Network policies allow specifying whether and how different groups of Pods running in a Kubernetes cluster can communicate with one another. In other words, they can be used to control and limit the ingress and egress traffic to and from Pods. Naturally, network policies can be used to restrict which WireGuard peers have access to which Pods and vice-versa. Support for Kubernetes network policies can be easily added to any cluster running Kilo by deploying a utility such as kube-router.
The following command adds network policy support by deploying kube-router to work alongside Kilo:
Network policies could now be deployed to the cluster. Consider the following example scenarios.
Deny All Ingress Except WireGuard
Imagine that an organization wants to limit access to a namespace to only allow traffic from the WireGuard VPN. Access to a namespace could be limited to only accept ingress from a CIDR range with:
Deny Egress to WireGuard Peers
Consider the case where Pods running in one namespace should not have access to resources in the WireGuard mesh, e.g. because the Pods are potentially untrusted. In this scenario, a policy to restrict access to the WireGuard peers could be created with: