Enforcing K8s networkpolicy on EKS

12/18/2019

I have a use-case where I need to allow incoming traffic from the LoadBalancer subnet to web service but restrict other pods from accessing the pod.

In general, if I was using K8s with Flannel/Weave or similar CNI, the CIDR would be different than the actual network of the VPC, so I could use this example: https://stackoverflow.com/a/54281975/11949720

However, because I'm using EKS, the VPC-CNI provides the pods with the same subnets as the VPC and other hosts so whitelisting the Loadbalancer subnet will also whitelist the pods subnet, thus any pod in this cluster will be able to access the exposed pod.

apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: managment-access
  namespace: frontend-layer
spec:
  ingress:
    - ports:
      - port: 9090
      from:
        - podSelector:
            matchLabels:
              type: collectors
        - ipBlock:
            cidr: 172.31.64.0/20
        - ipBlock:
            cidr: 172.31.80.0/20
        - ipBlock:
            cidr: 172.31.48.0/20

  podSelector:
    matchLabels:
      app.kubernetes.io/name: managment

  policyTypes:
    - Ingress

I know that I can reconfigure the EKS to use a custom network for the pods and it will probably solve this issue, however, I am hoping to find a more agnostic solution since my guess is that even with AKS-CNI it will be the same issue.

-- tleibo
kubernetes
kubernetes-networkpolicy

0 Answers