StackLight rules for Kubernetes network policies¶
Available since Cluster releases 17.0.1 and 16.0.1
The Kubernetes NetworkPolicy resource allows controlling network connections to and from Pods within a cluster. This enhances security by restricting communication from compromised Pod applications and provides transparency into how applications communicate with each other.
Network Policies are enabled by default in StackLight using the
networkPolicies
parameter. For configuration details, see
Kubernetes network policies.
The following table contains general network policy rules applied to StackLight components:
Network policy rule |
Component |
---|---|
Deny all ingress for Pods not expecting incoming traffic (including Prometheus scrape) |
|
Deny all egress for Pods not expecting outgoing traffic |
|
Allow all ingress for Pods that can be exposed through load balancers |
|
Allow all egress for Pods connecting to outside world or external APIs (Kubernetes, Docker, Keycloak, OpenStack) |
|
Allow DNS traffic from all Pods specifying communication endpoints of other StackLight workloads. |
|
The following exceptions apply to the StackLight network policy rules:
Because Prometheus Node Exporter uses the host network, the allow-all rule applies to both ingress and egress that is the no-op placeholder.
Due to dynamically created scrape configurations, the allow-all rule applies to egress for Prometheus Server.