Network policies

Network policies allow you easily restrict the ingress traffic between pods using k8s labels. To keep your cluster safer, it's strongly recommended to enable network policies into prometheus namespace.

Example

In this example we are closing all the inbound communication on the namespace monitoring and just allowing the necessary traffic. This example are only tested with calico provider.

Follow the steps here to install calico, also dont' forget to enable network policy in you k8s cluster.

Once you've done that, you should annotate your namespace to deny all the ingress (inboud) traffic.

$ kubectl annotate ns monitoring "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
namespace "monitoring" annotated

In this step you can't reach any port in your pod, so let's apply this network policies examples to allow the necessary traffic.

$ kubectl apply -n monitoring -f example/networkpolicies/ 

networkpolicy "alertmanager-web" configured
networkpolicy "alertmanager-mesh" configured
networkpolicy "grafana" configured
networkpolicy "node-exporter" configured
networkpolicy "prometheus" configured

Explaining the network policies

Alertmanager

  • Allow inbound tcp dst port 9093 from any source to alertmanager-main
  • Allow inbound tcp dst port 6783 from only alertmanager-main to alertmanager-main
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: alertmanager-web
spec:
  ingress:
  - from:
    ports:
    - port: 9093
      protocol: tcp
  podSelector:
    matchLabels:
      alertmanager: alertmanager-main
      app: alertmanager
---
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: alertmanager-mesh
spec:
  ingress:
  - from:
    - podSelector:
        matchExpressions:
        - key: app
          operator: In
          values:
          - alertmanager
        - key: alertmanager
          operator: In
          values:
          - alertmanager-main
    ports:
    - port: 6783
      protocol: tcp
  podSelector:
    matchLabels:
      alertmanager: alertmanager-main
      app: alertmanager

Grafana

  • Allow inbound tcp dst port 3000 from any source to grafana
- apiVersion: extensions/v1beta1
  kind: NetworkPolicy
  metadata:
    name: grafana
  spec:
    ingress:
    - ports:
      - port: 3000
        protocol: tcp
    podSelector:
      matchLabels:
        app: grafana

Prometheus

  • Allow inbound tcp dst port 9090 from any source to prometheus-k8s
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: prometheus
spec:
  ingress:
  - ports:
    - port: 9090
      protocol: tcp
  podSelector:
    matchLabels:
      app: prometheus
      prometheus: prometheus-k8s

Node-exporter

  • Allow inbound tcp dst port 9100 from only prometheus-k8s to node-exporter
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
  name: node-exporter
spec:
  ingress:
  - from:
    - podSelector:
        matchExpressions:
        - key: app
          operator: In
          values:
          - prometheus
        - key: prometheus
          operator: In
          values:
          - prometheus-k8s
    ports:
    - port: 9100
      protocol: tcp
  podSelector:
    matchLabels:
      app: node-exporter