Firewall

Firewall Configuration in the Kubernetes.

In Kubernetes, we utilize the Cilium firewall. This can be configured using CiliumNetworkPolicies. By default, all incoming and outgoing connections of a pod are dropped, except for a few exceptions like DNS and Istio sidecars.

Cilium itself provides an editor which helps to create these policies. Otherwise comprehensive explanations can be found in the official documentation.

A small example on a policy allowing traffic from our ingress gateway to port 8080, would be:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: example
  namespace: example
spec:
  endpointSelector:
    matchLabels:
      k8s:app: example
  ingress:
    - fromEndpoints:
        - matchLabels:
            k8s:app: istio-ingressgateway
            k8s:io.kubernetes.pod.namespace: istio-ingressgateway
            k8s:istio: ingressgateway
            k8s:name: istio-ingressgateway
      toPorts:
        - ports:
            - port: "8080"
              protocol: TCP