Blocking network connections in containers
If you are using Cilium CNI, you must specify the Cilium CNI rules in addition to the CIDR and FQDN when choosing a network connection blocking option.
Rules for CIDR and FQDN for Cilium CNI are applied only to specify resources external to Kubernetes. To specify internal Kubernetes resources, you must use resource labels instead of CIDR and FQDN.
Cilium CNI rules are specified together with the CIDR and FQDN values, separated by commas, as follows:
entity:<ENTITY_NAME> -OR- endpoint:<NAMESPACE> -OR- service:<NAMESPACE>{|<LABEL_1_KEY>=<LABEL_2_VALUE>{,<LABEL_N_KEY>=LABEL_N_VALUE}}
where:
<ENTITY_NAME> is the name of objects that have access to the selected Endpoints in the network and vice versa. Possible object names are listed in the Cilium documentation.<NAMESPACE> is the valid name of the namespace.<LABEL_1_KEY>=<LABEL1_VALUE> is the key-value pair of the namespace label (for example, env = staging). This parameter is optional and is specified if necessary.
The =<LABEL1_VALUE> parameter is also optional because the label can consist of just the key (without a value). In this case, the parameter is specified as follows: <LABEL_1_KEY>.
<LABEL_N_KEY>=LABEL_N_VALUE is a list of namespace labels, in which labels are separated by commas (for example, app = test, component = api-v2, k8s-app = kube-dns). This parameter is also optional and is specified if necessary.|
Example of rules:
|
This format for defining rules and exclusions only applies to Cilium CNI. If you use it for other CNIs, the solution ignores incorrectly specified settings.
Applying network policies containing DNS names
Network policies that contain DNS names can be used to configure access policies for network endpoints on which not Cilium CNI is not used. Such policies specify domain names that support DNS queries. Cilium CNI can use a DNS proxy to determine the association of such domain names with IP addresses based on the DNS responses it receives from network endpoints. IP address information is obtained using the matchName or matchPattern rules from all DNS responses available to the Cilium CNI on the node.
Network policies containing DNS names can be applied only if the --enable-l7-proxy=true option is specified in the Cilium CNI configuration. If this option is not specified, the solution cannot apply policies containing DNS names, and a connection error is displayed in information about network activity monitoring and analysis actions.
When using Cilium CNI, you must also take into account the rules for setting the values of variables when deploying node-agents.
Applying CIDR-based rules
In Kaspersky Container Security exceptions for ingress and egress connections in a runtime profile contain an IP address or a range of IP addresses of connection sources in CIDR4 and CIDR6 notations. Cilium CNI treats CIDR as the connection source address located outside the cluster. If the connection is between pods in the cluster, such a connection is also considered external to the cluster.
In Cilium CNI, to define addresses of objects in a cluster, you must use pod labels (for example, fromCIDR and toCIDR).
Traffic bundling
When a pod in a cluster sends a request to a resource out of the cluster and receives a response from this resource, Cilium CNI treats the ingress and egress traffic as a single connection (TrafficDirection = Egress). All data packages exchanged by the connection endpoints will be classified as egress traffic.
If the applicable runtime profile allows egress connections and prohibits ingress connections, Cilium CNI allows ingress traffic in response to the submitted request.
Network events aggregation
In Cilium CNI, if several identical events occur within a short period, Cilium applies the aggregation rule and merges these events.
|
Example of aggregation You run the |
By default, the aggregation period for identical events is five seconds. You can change the aggregation period in the Cilium CNI configuration by specifying the value for the monitor-aggregation-intervalInsert parameter.