Kubernetes security: implement global default network policy denying everything

[YuryHrytsuk]

Origin: https://kubernetes.io/docs/concepts/security/security-checklist/#network-security

Calico implementation example: https://docs.tigera.io/calico-enterprise/latest/network-policy/default-deny
Cilium implementation example: https://docs.cilium.io/en/latest/network/servicemesh/default-deny-ingress-policy/

Tasks

• Kubernetes: add deny all global network policy #1164
• Apply global policy to all non-system pods
  • Kubernetes: apply global deny network policy to simcore namespace #1168
  • adminer (see Kubernetes: add deny all global network policy #1164)
  • portainer (see Kubernetes: add deny all global network policy #1164)
  • local-path-storage
  • s3-csi
  • longhorn
  • topolvm
  • ebs-csi
  • Kubernetes: add cert-manager network policy #1175
  • reflector
  • victoria-logs
  • traefik (to be decided)

Implementation wishes

• easy way to discover which ports / networks / ... are used to create appropriate allow policy --> documented in calico-configuration's chart README.md
• document how to debug network policies
• alarms on denied traffic
• easy to enable development mode (enable free access)

[YuryHrytsuk]

Calico questions:

• I cannot find projectcalico.org/name label in my namespace projectcalico/calico#10732
• Documentation: profiles vs (global) network policy projectcalico/calico#10746
• Profile rules take precendence over (Global) Network Policy rules projectcalico/calico#10753

[YuryHrytsuk]

Logging / Debugging Calico Network Policies

https://stackoverflow.com/questions/51069221/logging-for-kubernetes-calico-networkpolicy