AWS EKS Security : Traffic Control

 

The purpose of this post is give high level overview about how to achieve security aspect of traffic controls in AWS EKS .

As seen in the above diagram, AWS EKS is a managed service, which means responsibility of control plane is part of AWS while components in the worker nodes are users/customers.

It's a shared responsibility model.

There are couple of ways, that we can control incoming and outgoing traffic to/from EKS cluster.

Cluster VPC and subnet considerations

There are couple of ways to setup a VPC and subnets.

1. Public and private subnets 

2. Only public subnets 

3. Only private subnets 

Out of these, option one is the famous VPC and subnect setup for EKS cluster.

This way we can deploy webservices in public subnets while backend services in private subnets.

https://docs.aws.amazon.com/eks/latest/userguide/creating-a-vpc.html

https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html

Enable External SNAT (source network address translation)

By enabling external SNAT, EKS CNI implementation do not perform SNAT, and rely on whatever egress solution like, VPC NAT Gateway to do it for you

This is ideal for pods deployed in public subnets.

https://docs.aws.amazon.com/eks/latest/userguide/external-snat.html

https://medium.com/swlh/what-to-know-before-using-amazon-eks-3b32cc64f131

AWS Security Groups & NACL

• Security group is the firewall of EC2 Instances.
• Network ACL is the firewall of the VPC Subnets.

https://medium.com/awesome-cloud/aws-difference-between-security-groups-and-network-acls-adc632ea29ae

Pod Security Groups

With this, we can apply same security groups rules to inbound and outbound network traffic of pods in EC2 instance/node

apiVersion: vpcresources.k8s.aws/v1beta1

kind: SecurityGroupPolicy

metadata:

  name: my-security-group-policy

  namespace: my-namespace

spec:

  podSelector: 

    matchLabels:

      role: my-role

  securityGroups:

    groupIds:

      - sg-abc123

https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html

Network Policies

If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster

This is Kubernetes way of applying compliance and rules for network traffic within the cluster.

https://github.com/ahmetb/kubernetes-network-policy-recipes

Securing Cluster Networking with Network Policies - Ahmet Balkan, Google

Upgrade core add-ons

1. kubeproxy

2. CoreDNS

It is always a best practice to upgrade these add-ons.

By doing this we can use latest traffic control related features.

eksctl utils update-kube-proxy --cluster=eksworkshop-eksctl --approve

eksctl utils update-coredns --cluster=eksworkshop-eksctl --approve

https://www.eksworkshop.com/intermediate/320_eks_upgrades/upgradeaddons/