Kubernetes Network Policy for External Name Service

0
votes

We are looking at setting up network policies for our Kubernetes cluster. However in at least one of our namespaces we have an ExternalName service (kubernetes reference - service types) for an AWS RDS intance. We would like to restrict traffic to this ExternalName service to be from a particular set of pods, or if that is not possible, from a particular namespace. Neither the namespace isolation policy or the NetworkPolicy resoure seem to apply to ExternalName services. After searching the documentation for both Weave and Project Calico, there doesn't seem to be any mention of such functionality.

Is it possible to restrict network traffic to an ExternalName service to be from a specific set of pods or from a particular namespace?

1
kubernetesweaveproject-calico

1 Answers

2
votes

You can't really do that. ExternalName services are a DNS construct. A client performs a DNS lookup for the service and kube-dns returns the CNAME record for, in your case, the RDS instance. Then the client connects to RDS directly.

There are two possible ways to tackle this:

  1. Block just DNS lookups (pods can still connect to the DB if they know the IP or fully qualified RDS hostname):

    • change namespace isolation to support ExternalName services
    • make kube-dns figure the client pod behind each request it gets
    • make kube-dns aware of namespace isolation settings and apply them, so it only returns CNAME records to authorized pods

  2. Return DNS lookups, but block RDS connections:

    • extend NetworkPolicy somehow to also control egress traffic
    • blacklist/whitelist RDS IPs wholesale (easier said than done, since they are dynamic) or make the network controllers track the results from DNS lookups and block/allow connections accordingly.

In either case, you'll have to file a number of feature requests in Kubernetes and downstream.

Source: I wrote the EN support code.