This topic describes how to use a Kubernetes Network Policy to secure access to the AWS instance metadata service from Kubernetes clusters created with VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).
Overview
For Pods on TKGI clusters deployed on AWS, you can manage access to the AWS instance metadata service using a Kubernetes Network Policy:
- You can block app access to the instance metadata service for apps in either all cluster namespaces or specific namespaces.
- You can grant app access to the instance metadata service for apps in one or more labeled Pods.
To manage access to the AWS instance metadata service, complete one of the following:
- Secure Access to AWS Instance Metadata for a Namespace
- Secure Access for All Namespaces Using an Antrea Cluster-Wide Network Policy
For information on why it is recommended that you secure access to AWS instance metadata, see Instance metadata and user data in the AWS documentation.
Secure Access to AWS Instance Metadata for a Namespace
You can use Kubernetes Network Policies to deny access to the AWS instance metadata service by default from all apps in a namespace and if desired, grant access to the service from specific Pods:
Deny Access from a Specific Namespace
To use a Kubernetes Network Policy to deny access to AWS instance metadata by default from a specific namespace:
-
To create a
denyNetwork Policy:- Create a YAML configuration file named
np.yml. -
Populate the YAML file with one of the following
denyNetwork Policy configurations:apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: POLICY-NAME namespace: NAMESPACE annotations: kubernetes.io/ingress.class: "nsx" spec: podSelector: {} policyTypes: - Egress egress: - to: - ipBlock: cidr: 0.0.0.0/0 except: - 169.254.169.254/32Where:
POLICY-NAMEis the name for this Network Policy. For exampledeny-metadata-access.NAMESPACEis the name of the namespace to apply the Network Policy to. For example,defaultto manage access from Pods in thedefaultnamespace.
- Save the YAML configuration file.
- Create a YAML configuration file named
-
To apply the
denyNetwork Policy to your cluster:kubectl apply -f np.ymlFor example:
# kubectl apply -f np.yml networkpolicy.networking.k8s.io/deny-metadata-access created -
Verify the Network Policy has been applied:
kubectl get networkpolicyFor example:
# kubectl get networkpolicy NAME POD-SELECTOR AGE deny-metadata-access <none> 8s - Verify that all apps in Pods in the namespace are blocked from accessing the AWS instance metadata service.
Grant Access to Specific Apps in a Namespace
To configure a Kubernetes Network Policy to grant access to the AWS instance metadata service for apps in a specific Pod:
-
To create an
allowNetwork Policy for apps in a Pod with a specific Pod label:- Create a YAML configuration file named
np-allow.yml. -
Populate the YAML file with one of the following
allowNetwork Policy configurations:apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: POLICY-NAME namespace: NAMESPACE annotations: kubernetes.io/ingress.class: "nsx" spec: podSelector: matchLabels: POD-LABEL policyTypes: - Egress egress: - to: - ipBlock: cidr: 169.254.169.254/32Where:
POLICY-NAMEis the name for this Network Policy. For exampleallow-metadata-access.NAMESPACEis the name of the namespace to apply the Network Policy to. For example,defaultto manage access from Pods in thedefaultnamespace.POD-LABELis the Pod label for the Pod to grant access to. Only the Pods tagged with thePOD-LABELlabel are affected by this configuration. For example,app: nginx.
- Save the YAML configuration file.
- Create a YAML configuration file named
-
To apply the
allowNetwork Policy to your cluster:kubectl apply -f np-allow.ymlFor example:
# kubectl apply -f np-allow.yml networkpolicy.networking.k8s.io/allow-metadata-access created -
Verify the Network Policy has been applied:
kubectl get networkpolicyFor example:
# kubectl get networkpolicy NAME POD-SELECTOR AGE allow-metadata-access app=nginx 3s - Verify that only the apps in Pod(s) with the specified label have access to AWS instance metadata.
Secure Access for All Namespaces Using an Antrea Cluster-Wide Network Policy
You can use an Antrea cluster-wide Kubernetes Network Policy to manage Pod access to AWS instance metadata.
The benefit of using an Antrea cluster-wide Network Policy is that a single configuration applies to all namespaces, avoiding the need to create a standard Network Policy for each namespace you want to manage.
To manage app access to AWS instance metadata using an Antrea cluster-wide Kubernetes Network Policy:
For more information on the benefits of using an Antrea Network Policy configuration, see Antrea Network Policy CRDs in the Antrea GitHub repository.
Deny Access to All Namespaces Using Antrea
To deny app access to AWS instance metadata from all cluster namespaces using an Antrea cluster-wide Kubernetes Network Policy:
-
To create a
denyNetwork Policy:- Create a YAML configuration file named
np-cluster-deny.yml. -
Populate the YAML file with the following
denyNetwork Policy configuration:apiVersion: crd.antrea.io/v1alpha1 kind: ClusterNetworkPolicy metadata: name: POLICY-NAME spec: priority: 3 ##### ====> configure deny access with a lower priority than allow access , or use 'tier' to determine what is taking effect first appliedTo: - podSelector: {} egress: - action: Drop to: - ipBlock: cidr: 169.254.169.254/32Where
POLICY-NAMEis the name for this Network Policy. For exampledeny-metadata-access. - Save the YAML configuration file.
- Create a YAML configuration file named
-
To apply the
denyNetwork Policy to your cluster:kubectl apply -f np-cluster-deny.ymlFor example:
# kubectl apply -f np-cluster-deny.yml clusternetworkpolicy.crd.antrea.io/deny-metadata-access created -
Verify the Network Policy has been applied:
kubectl get clusternetworkpolicies.crd.antrea.io -owideFor example:
# kubectl get clusternetworkpolicies.crd.antrea.io -owide NAME TIER PRIORITY DESIRED NODES CURRENT NODES AGE deny-metadata-access application 3 3 3 37s - Verify that apps in all namespaces are blocked from accessing AWS instance metadata.
Allow Access to a Specific App Using Antrea
To configure an Antrea Kubernetes Network Policy to grant access to AWS instance metadata for apps in a specific Pod:
-
To create an Antrea
allowNetwork Policy:- Create a YAML configuration file named
np-cluster-allow.yml. -
Populate the YAML file with the following
allowNetwork Policy configuration:apiVersion: crd.antrea.io/v1alpha1 kind: ClusterNetworkPolicy metadata: name: POLICY-NAME spec: priority: 2 appliedTo: - podSelector: matchLabels: POD-LABEL egress: - action: Allow to: - ipBlock: cidr: 169.254.169.254/32Where:
POLICY-NAMEis the name for this Network Policy. For exampleallow-metadata-access.POD-LABELis the Pod label for the Pod to grant access to. Only the Pods tagged with thePOD-LABELlabel are affected by this configuration. For example,app: nginx.
- Save the YAML configuration file.
- Create a YAML configuration file named
-
To apply the
allowNetwork Policy to your cluster:kubectl apply -f np-cluster-allow.ymlFor example:
# kubectl apply -f np-cluster-allow.yml clusternetworkpolicy.crd.antrea.io/allow-metadata-access created -
Verify the Network Policy has been applied:
kubectl get clusternetworkpolicies.crd.antrea.io -owideFor example:
# kubectl get clusternetworkpolicies.crd.antrea.io -owide NAME TIER PRIORITY DESIRED NODES CURRENT NODES AGE allow-metadata-access application 2 1 1 33s - Verify that only the apps in Pod(s) with the specified label have access to AWS instance metadata.
