Unrestricted access between network segments - Helm

Need

Restrict access between Kubernetes network segments using NetworkPolicy

Context

1. Usage of Helm for Kubernetes resource deployment
2. Lack of network segmentation enforcement via Kubernetes NetworkPolicy

Description

Insecure Code Example

# templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Release.Name }}-app
spec:
  selector:
    matchLabels:
      app: {{ .Release.Name }}-app
  template:
    metadata:
      labels:
        app: {{ .Release.Name }}-app
    spec:
      containers:
        - name: app
          image: nginx

This Helm chart defines a Deployment and Service without any NetworkPolicy, allowing unrestricted communication from any pod in the cluster. This permits lateral movement and violates network segmentation principles.

Steps

1. Define a `NetworkPolicy` in the Helm chart
2. Use `podSelector` and label-based ingress rules
3. Limit incoming traffic to trusted pods only

Secure Code Example

# templates/networkpolicy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ .Release.Name }}-np
spec:
  podSelector:
    matchLabels:
      app: {{ .Release.Name }}-app
  ingress:
    - from:
        - podSelector:
            matchLabels:
              access: allowed
  policyTypes:
    - Ingress

This example adds a minimal NetworkPolicy to restrict ingress traffic only to pods with the label `access: allowed`, enforcing network segmentation.

References

Last updated

2025/04/04