Need

Restrict access between Kubernetes network segments using NetworkPolicy

Context

• Usage of Helm for Kubernetes resource deployment
• Lack of network segmentation enforcement via Kubernetes NetworkPolicy

Description

Non compliant code

        # templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Release.Name }}-app
spec:
  selector:
    matchLabels:
      app: {{ .Release.Name }}-app
  template:
    metadata:
      labels:
        app: {{ .Release.Name }}-app
    spec:
      containers:
        - name: app
          image: nginx
        
        

This Helm chart defines a Deployment and Service without any NetworkPolicy, allowing unrestricted communication from any pod in the cluster. This permits lateral movement and violates network segmentation principles.

Steps

• Define a `NetworkPolicy` in the Helm chart
• Use `podSelector` and label-based ingress rules
• Limit incoming traffic to trusted pods only

Compliant code

        # templates/networkpolicy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ .Release.Name }}-np
spec:
  podSelector:
    matchLabels:
      app: {{ .Release.Name }}-app
  ingress:
    - from:
        - podSelector:
            matchLabels:
              access: allowed
  policyTypes:
    - Ingress
        
        

This example adds a minimal NetworkPolicy to restrict ingress traffic only to pods with the label access: allowed, enforcing network segmentation.

References

• 157. Unrestricted access between network segments