2/14/2022

AWS EKS Security : Traffic Control

 



The purpose of this post is give high level overview about how to achieve security aspect of traffic controls in AWS EKS .

As seen in the above diagram, AWS EKS is a managed service, which means responsibility of control plane is part of AWS while components in the worker nodes are users/customers.

It's a shared responsibility model.

There are couple of ways, that we can control incoming and outgoing traffic to/from EKS cluster.

Cluster VPC and subnet considerations


There are couple of ways to setup a VPC and subnets.

1. Public and private subnets 
2. Only public subnets 
3. Only private subnets 

Out of these, option one is the famous VPC and subnect setup for EKS cluster.
This way we can deploy webservices in public subnets while backend services in private subnets.






https://docs.aws.amazon.com/eks/latest/userguide/creating-a-vpc.html

https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html




Enable External SNAT (source network address translation)


By enabling external SNAT, EKS CNI implementation do not perform SNAT, and rely on whatever egress solution like, VPC NAT Gateway to do it for you

This is ideal for pods deployed in public subnets.


https://medium.com/swlh/what-to-know-before-using-amazon-eks-3b32cc64f131




AWS Security Groups & NACL


  • Security group is the firewall of EC2 Instances.
  • Network ACL is the firewall of the VPC Subnets.



https://medium.com/awesome-cloud/aws-difference-between-security-groups-and-network-acls-adc632ea29ae



Pod Security Groups


With this, we can apply same security groups rules to inbound and outbound network traffic of pods in EC2 instance/node

apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
  name: my-security-group-policy
  namespace: my-namespace
spec:
  podSelector: 
    matchLabels:
      role: my-role
  securityGroups:
    groupIds:
      - sg-abc123


https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html



Network Policies


If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster

This is Kubernetes way of applying compliance and rules for network traffic within the cluster.

https://github.com/ahmetb/kubernetes-network-policy-recipes

Securing Cluster Networking with Network Policies - Ahmet Balkan, Google


Upgrade core add-ons

  1. kubeproxy
2. CoreDNS

It is always a best practice to upgrade these add-ons.

By doing this we can use latest traffic control related features.

eksctl utils update-kube-proxy --cluster=eksworkshop-eksctl --approve

eksctl utils update-coredns --cluster=eksworkshop-eksctl --approve

https://www.eksworkshop.com/intermediate/320_eks_upgrades/upgradeaddons/



Posted by dhanuka ranasinghe at 2/14/2022
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)