Create Network Policies to support your Kubernetes with Aqua

Stelijan Markovic
19. January 2023
Reading time: 3 min
Create Network Policies to support your Kubernetes with Aqua

1. Introducing Aqua

Before we start, we should explain what Aqua is in the first place. 

Aqua is a cloud-native security solution, embedded into every stage of the application lifecycle, from development to production, to detect issues early and protect applications during runtime. Short Explanation Video.  So how does it protect your Kubernetes cluster? 

Aqua offers comprehensive protection for this. Here is a short list of examples: 

  • With Kubernetes Security Posture Management (KSPM) you can detect misconfigurations inside your clusters  
  • It helps to automate your Kubernetes security configuration and compliance through security assessments and self-monitoring. 
  • Also, the cluster can be equipped with comprehensive policies to protect your containers before and while they are running

If you want to learn more about Aqua, visit: https://evoila.com/en/solutions/security/cloud-security/aqua-cloud-native-application-protection-platform/ and contact us for a free Demo.

Aqua is a versatile tool that can become quite useful to you. Unfortunately, Aqua does not come with tailored network policies. This is a responsibility you must take on yourself. Since network policies can be a tricky topic, we have published this article to help you with this. We explain network policies in general and how to establish them in the best way. Also, we published a YAML-File that you can orient to.

2. Brief Touch on K8s Network Policies

In short Network Policies allow you to specify rules for traffic flow within your cluster, and between pods and the outside world. To establish Network Policies (shortened as “NetPols”) your cluster must use a network plugin that supports Network Policy Enforcement. (Like Tigera Calico, Isovalent Cilium, WeaveNet, Istio, etc.)  

To find more about “NetPols” visit: https://kubernetes.io/docs/concepts/services-networking/network-policies/

A quick example of how to allow your pods to send DNS queries: 

apiVersion: networking.k8s.io/v1 
kind: NetworkPolicy 
metadata: 
 name: Enable DNS 
 namespace: Default 
spec: 
 podSelector: {} 
egress: 
 - to: 
    - namespaceSelector: {} 
      podSelector: 
        matchLabels: 
           k8s-app: kube-dns 
ports: 
  - port: 53 
    protocol: UDP 

3. It can be hard to establish Network Policies

Having briefly touched on the subject of “NetPols”, this doesn’t seem complicated at all in the first place. But in reality, clusters are much more complex and have multiple namespaces simultaneously. Kubernetes offers you the possibility to be flexible, dynamic, and scalable, which is very beneficial, but unfortunately it can also cause you to lose track of everything. Network policies in active Kubernetes systems require a lot of maintenance, especially since they can cause important connections to not function properly.

It is essential to properly label and comment objects within K8s. This ensures good IT hygiene and simplifies future configurations. In this article, we provide a short example of network policies for you to follow. In the next point, we will show you how we configured the NetPols in relation to Aqua.

If you have problems building network policies or want a visualization tool for them, then we can recommend Network Policy Editor from Cilium. The tool offers, apart from the netpol-creating-function, also tips for specific network policies, for example DNS. Once you have built your desired policies, you can download them as YAML:

https://editor.cilium.io/

 width=

 

4. Short how to with Aqua Example 

As mentioned earlier, it can get complicated with network policies. Especially if you want to implement a new system, like Aqua. This is because you are not yet familiar with the system and may not know how best to set the policies. 

In this example, we will show you a small snippet of our Aqua Network Policies made available in Github. 

 In the code below, you can see that I refer the following rules to the default namespace and work via PodSelector – through labels I can now address certain components that I have previously clearly defined namespace-independent. As an example, I have defined the ingress rule for the Aqua UI. As you can see, I have added comments so that you can use them as a reference for future configurations. 

apiVersion: networking.k8s.io/v1 
kind: NetworkPolicy 
metadata: 
  name: Aqua-Cluster-NP 
  namespace: default 
spec: 
  podSelector: {} 
  policyTypes: 
      - Ingress 
      - Egress 
  ingress: 
      - from: 
         - podSelector: {} 
#Incoming traffic Aqua UI and API - Aqua Server 
    - from: 
        - namespaceSelector: {} 
          podSelector: 
            matchLabels: 
              app: aqua-ui 
     ports: 
        - port: 8443 
          protocol: HTTPS 
#or     - port: 8080 
#         protocol: HTTP 

 

We have published a complete template of the Network Policies for Aqua on our GitHub (please note the comments and technical details here). The rules are based on the Aqua Network Connectivity Requirements. For reference:https://docs.aquasec.com/v2022.4/platform/aqua-environment-and-configuration/network-connectivity-requirements-ports/ So, you can use the template and fully dedicate yourself to Aqua. (Please check the technical details and the comments beforehand). 

5. Summary 

Today we learned about Aqua and how it can protect and harden our Kubernetes cluster, we talked about the pitfalls of Network Policies today, and we used an example related to Aqua to create a sustainable NetPol, which you can follow along later. With the right attitude and the right tools, you can make your life easier, so Kubernetes network policies don’t seem complicated anymore.