Skip to content

Add NetworkPolicies to restrict inter-service traffic #15

New issue
New issue
Open
Open
Add NetworkPolicies to restrict inter-service traffic#15
@colek42

Description

@colek42
colek42
opened on Oct 17, 2025

Summary

After removing the localhost binding from the Kratos admin API to allow legitimate inter-service communication (commit 6da8419), we should add NetworkPolicies to properly restrict which services can access sensitive endpoints.

Background

The Kratos admin API needs to be accessible from:

  • judge-api: For user management operations
  • Kubernetes health probes: For liveness/readiness/startup checks

However, it should NOT be accessible from:

  • External traffic (already handled by ClusterIP service type)
  • Other unnecessary pods in the cluster

Proposed Solution

Add Kubernetes NetworkPolicies that:

  1. For Kratos admin service: Only allow traffic from judge-api pods and kubelet (health probes)
  2. For Archivista service: Only allow traffic from judge-api and gateway pods
  3. For judge-api service: Only allow traffic from gateway pods
  4. Default deny: Add a default-deny NetworkPolicy for the namespace with explicit allow rules

Implementation Details

Create NetworkPolicy templates in each chart:

  • charts/kratos/templates/networkpolicy.yaml
  • charts/archivista/templates/networkpolicy.yaml
  • charts/judge-api/templates/networkpolicy.yaml
  • charts/judge/templates/networkpolicy-default-deny.yaml

Example NetworkPolicy for Kratos Admin

{{- if .Values.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ include "kratos.fullname" . }}-admin
  namespace: {{ .Release.Namespace }}
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: {{ include "kratos.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
  policyTypes:
  - Ingress
  ingress:
  # Allow from judge-api pods
  - from:
    - podSelector:
        matchLabels:
          app.kubernetes.io/name: judge-api
    ports:
    - protocol: TCP
      port: 4433
  # Allow health probes from kubelet (all nodes)
  - from:
    - namespaceSelector: {}
      podSelector: {}
    ports:
    - protocol: TCP
      port: 4433
{{- end }}

Configuration

Add to values.yaml:

networkPolicy:
  enabled: false  # Default disabled for backward compatibility
  additionalIngress: []  # Allow custom rules

Benefits

  • Defense in depth: Even if someone gains access to the cluster, they can't freely access admin APIs
  • Compliance: Meets zero-trust security requirements
  • Istio compatibility: Works alongside Istio AuthorizationPolicies for service mesh deployments
  • Optional: Can be enabled/disabled via values

Testing

  1. Enable NetworkPolicies via values
  2. Verify judge-api can still access Kratos admin API
  3. Verify health probes still work
  4. Verify unauthorized pods cannot access admin endpoints

Related

  • Commit 6da8419: Removed localhost binding from Kratos admin API
  • Could also consider Istio AuthorizationPolicies as an alternative/addition for Istio-enabled clusters

Priority

Medium - This adds an important security layer but the services are already protected by ClusterIP service types and can be further secured with Istio if needed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions