Network policies

Network policies allow you easily restrict the ingress traffic between pods using k8s labels. To keep your cluster safer, it's strongly recommended to enable network policies into prometheus namespace.

Example

This example will close all inbound communication on the namespace monitoring, and allow only necessary traffic. This example has only been tested with the calico provider.

First, follow the instructions to add Calico to an existing Kubernetes cluster.

Next, use the following configuration to deny all the ingress (inbound) traffic.

 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
 name: default-deny-all
 namespace: default
 spec:
 podSelector:
 matchLabels:

Save the config file as default-deny-all.yaml and apply the configuration to the cluster using

kubectl apply -f <path to config file>/default-deny-all.yaml

Apply the following network policies to allow the necessary traffic to access ports in the pod:

$ kubectl apply -n monitoring -f example/networkpolicies/ 

networkpolicy "alertmanager-web" configured
networkpolicy "alertmanager-mesh" configured
networkpolicy "grafana" configured
networkpolicy "node-exporter" configured
networkpolicy "prometheus" configured

Explaining the network policies

Alertmanager

  • Allow inbound tcp dst port 9093 from any source to alertmanager
  • Allow inbound tcp dst port 6783 from only alertmanager to alertmanager
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: alertmanager-web
spec:
  ingress:
  - from:
    ports:
    - port: 9093
      protocol: tcp
  podSelector:
    matchLabels:
      alertmanager: main
      app: alertmanager
---
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: alertmanager-mesh
spec:
  ingress:
  - from:
    - podSelector:
        matchExpressions:
        - key: app
          operator: In
          values:
          - alertmanager
        - key: alertmanager
          operator: In
          values:
          - main
    ports:
    - port: 6783
      protocol: tcp
  podSelector:
    matchLabels:
      alertmanager: main
      app: alertmanager

Grafana

  • Allow inbound tcp dst port 3000 from any source to grafana
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: grafana
spec:
  ingress:
  - ports:
    - port: 3000
      protocol: tcp
  podSelector:
    matchLabels:
      app: grafana

Prometheus

  • Allow inbound tcp dst port 9090 from any source to prometheus
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: prometheus
spec:
  ingress:
  - ports:
    - port: 9090
      protocol: tcp
  podSelector:
    matchLabels:
      app: prometheus
      prometheus: k8s

Node-exporter

  • Allow inbound tcp dst port 9100 from only prometheus to node-exporter
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: node-exporter
spec:
  ingress:
  - from:
    - podSelector:
        matchExpressions:
        - key: app
          operator: In
          values:
          - prometheus
        - key: prometheus
          operator: In
          values:
          - k8s
    ports:
    - port: 9100
      protocol: tcp
  podSelector:
    matchLabels:
      app: node-exporter

Kube-state-metrics

  • Allow inbound tcp dst port 8080 from only prometheus to kube-state-metrics
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: kube-state-metrics
spec:
  ingress:
  - from:
    - podSelector:
        matchExpressions:
        - key: app
          operator: In
          values:
          - prometheus
        - key: prometheus
          operator: In
          values:
          - k8s
    ports:
    - port: 8080
      protocol: tcp
  podSelector:
    matchLabels:
      app: kube-state-metrics