StackLight rules for Kubernetes network policies

The Kubernetes NetworkPolicy resource allows controlling network connections to and from Pods within a cluster. This enhances security by restricting communication from compromised Pod applications and provides transparency into how applications communicate with each other.

Network Policies are enabled by default in StackLight using the networkPolicies parameter. For configuration details, see Kubernetes network policies.

The following table contains general network policy rules applied to StackLight components:

Network policy rules for StackLight

Network policy rule

Component

Deny all ingress for Pods not expecting incoming traffic (including Prometheus scrape)

  • Elasticsearch curator

  • Fluentd notifications

  • Metric collector

  • Metricbeat

  • sf-reporter

Deny all egress for Pods not expecting outgoing traffic

  • cAdvisor

  • Prometheus libvirt Exporter

  • telegraf-ds-smart

Allow all ingress for Pods that can be exposed through load balancers

  • Alerta

  • Grafana

  • OpenSearch dashboards

  • Prometheus Alertmanager (because of web UI)

  • Prometheus Server (because of web UI)

Allow all egress for Pods connecting to outside world or external APIs (Kubernetes, Docker, Keycloak, OpenStack)

  • alertmanager-webhook-servicenow (ServiceNow webhook)

  • Fluentd logs

  • Fluentd notifications

  • Grafana

  • Helm Controller

  • IAM proxy

  • Metric Collector

  • OpenSearch

  • Patroni

  • Prometheus Alertmanager

  • Prometheus kube-state-metrics

  • Prometheus MS Teams

  • Prometheus Server

  • sf-notifier

  • sf-reporter

  • Telegraf Docker Swarm

  • Telemeter Client

  • Telemeter Server

Allow DNS traffic from all Pods specifying communication endpoints of other StackLight workloads.

  • Alerta

  • Elasticsearch Curator

  • Elasticsearch Exporter

  • Opensearch Dashboards

  • Prometheus-es-exporter

  • Prometheus Relay

The following exceptions apply to the StackLight network policy rules:

  • Because Prometheus Node Exporter uses the host network, the allow-all rule applies to both ingress and egress that is the no-op placeholder.

  • Due to dynamically created scrape configurations, the allow-all rule applies to egress for Prometheus Server.

See also

Kubernetes documentation: Network Policies