How to create a network policy that matches Kubernetes API

Question

In our EKS Kubernetes cluster we have a general calico network policy to disallow all traffic. Then we add network policies to allow all traffic.

One of our pods needs to talk to the Kubernetes API but I can't seem to match that traffic with anything else than very broad ipBlock selectors. Is there any other way to do it?

This currently works but gives too broad access:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
spec:
  podSelector:
    matchLabels:
      run: my-test-pod
  policyTypes:
    - Egress
  egress:
    - to:                 # To access the actual kubernetes API
        - ipBlock:
            cidr: 192.168.0.0/16
      ports:
        - protocol: TCP
          port: 443

In AWS EKS I can't see the control plane pods but in my RPI cluster I can. In the RPI cluster, the API pods has labels "component=kube-apiserver,tier=control-plane" so I also tried using a podSelector with those labels but it does not match either in EKS or the RPI cluster:

    - to:
        - namespaceSelector:
            matchLabels:
              name: kube-system
        - podSelector:
            matchLabels:
              component: kube-apiserver

Any help would be appreciated.

For EKS you also need to whitelist worker nodes IPs in the security group of master nodes — Arghya Sadhu
I'm running EKS access with private communication and the nodes are without public IPs so there's no need for whitelisting. Which also means it just works if I allow all the traffic from the pod with 192.168.0.0/16 but that is a too wide scope. — smuda

Vit Vit · Accepted Answer · 2020-10-12T21:12:09

What if you:

find API server by running kubectl cluster-info
look into smth like

Kubernetes master is running at ... lets say from the example https://EXAMPLE0A04F01705DD065655C30CC3D.yl4.us-west-2.eks.amazonaws.com

translate that https://EXAMPLE0A04F01705DD065655C30CC3D.yl4.us-west-2.eks.amazonaws.com to ip address, lets say it would be a.b.c.d

And finally use a.b.c.d/32 inside NetworkPolicy, e.g

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: a.b.c.d/32
    ports:
    - protocol: TCP
      port: 443

Please correct me if I understood smth wrong

How to create a network policy that matches Kubernetes API

1 Answers