K
Q

How to disallow access to a container port from the pod ip in Kubernetes

1/15/2020

By default Kubernetes allow pods to access other pods using the pod IP.

I have 2 pods. Pod1 and Pod2. Pod1 has a mysql server and a PHP application. And Pod2 has a php application. The Pod1 ip is 174.17.0.4, Within the Pod2 the php application can access the mysql server from the address 174.17.0.4:3306.

The Pod1 and the Pod2 are 2 different applications. Pod2 doesn't have nothing to do with Pod1. So my concern is if Pod2 got hacked, the hacker can scan the network and brute force attack the Pod1 mysql server.

How can I disallow access to the mysql port 3306 from outside the pod1?

-- user3502626
kubernetes
kubernetes-deployment
kubernetes-pod

Similar Questions

Kubernetes Default Loadbalancer for a service run locally?
How does weight affect pod scheduling when affinity rules are set?
When will a kube object have more than one ownerReferences
How to deploy to google-cloud using docker compose?

2 Answers

1/18/2020

First step to declare a Network Policy is to install a network provider with network policy support. For more info follow this link. As I was using Minikube, I installed Cilium. Follow this link on how to install it. And make sure you have enough space on your hard drive otherwise you the Cilium pods will be in pending state with this error in events 1 node had taints that the pod didn't tolerate.

-- user3502626
Source: StackOverflow
1/15/2020

If your cluster setup supports NetworkPolicy resource, you can look into network policy. With it, you can set specific ingress and egress policies to specific pods.

-- L-Tan
Source: StackOverflow