Identity-Based Microsegmentation Guide
LAST UPDATED: November 8, 2021

Advanced options

NOTE

When you do change any configuration, run doit again. It will analyze what needs to be updated or not given the changes made.

Enable policy engine v2

By default to maintain backward compatibility with old enforcers the policy engine starts as version 1 (v1). To use the new network rulesets with new enforcers you need to toggle the engine to use the v2 policy engine as follow:

set_value global.defaultNetpolicyRendererVersion v2 override

Proxy

If your outbound Kubernetes connections are going through a proxy, you will need to configure the following:

set_value global.proxy.enabled true
set_value global.proxy.http http://proxy:port
set_value global.proxy.https https://proxy:port

Private registry

Create a secret as per Kubernetes documentation then add its name to the configuration as follow:

set_value 'global.imagePullSecrets[0].secret' <secret-name>

SMTP

Run the following commands to configure SMTP.

set_value integrations.smtp.enabled "true"
set_value integrations.smtp.server "smtp.gmail.com:587"
set_value integrations.smtp.user "user@domain.com"
set_value integrations.smtp.pass "secret"
set_value integrations.smtp.systemEmail "aporeto@domain.com"
set_value global.integrations.smtp.receivers.invitation "registration@domain.com"
set_value global.integrations.smtp.receivers.monitor "alerts@domain.com"
set_value immediateActivation false vince override

NOTE

Once you create an account you can disable further account creation by setting set_value disableAccountCreation true vince override and running snap -u vince --force.

Slack alerts

You can configure alerting through Slack as follows (if you have the monitoring stack deployed):

set_value global.integrations.slack.webhook <web_hook>
set_value global.integrations.slack.channel <channel>

Proxy protocol

If you are using an AWS elastic load balancer or an ingress controller and want to leverage the client IP preservation to restrict the authorization policies using subnet, you can enable proxy protocol as below:

# From your voila environement
set_value proxyProtocol.enabled true wutai override
set_value proxyProtocol.subnet 10.0.0.0/8 wutai override
set_value proxyProtocol.mode aws wutai override

AWS network load balancer

If you want to use an AWS network load balancer:

# From your voila environment
set_value 'serviceAnnotations."service.beta.kubernetes.io/aws-load-balancer-type"' "nlb" wutai override

Restrict network access to services

If you want to mitigate any lateral movement from code that can run from the services you can restrict what they can access to:

# Put network restriction on services
set_value 'networkRestrictions.excludedNetworks[0]' 127.0.0.0/8 squall override
set_value 'networkRestrictions.excludedNetworks[1]' 192.168.0.0/16 squall override
set_value 'networkRestrictions.excludedNetworks[2]' 10.0.0.0/8 squall override
set_value 'networkRestrictions.excludedNetworks[3]' 169.254.0.0/16 squall override
set_value 'networkRestrictions.excludedNetworks[4]' 172.16.0.0/12 squall override
set_value 'networkRestrictions.authorizedTLDs[0]' .highwind squall override

set_value 'networkRestrictions.excludedNetworks[0]' 127.0.0.0/8 cactuar override
set_value 'networkRestrictions.excludedNetworks[1]' 192.168.0.0/16 cactuar override
set_value 'networkRestrictions.excludedNetworks[2]' 10.0.0.0/8 cactuar override
set_value 'networkRestrictions.excludedNetworks[3]' 169.254.0.0/16 cactuar override
set_value 'networkRestrictions.excludedNetworks[4]' 172.16.0.0/12 cactuar override
set_value 'networkRestrictions.authorizedTLDs[0]' .highwind cactuar override

set_value 'networkRestrictions.excludedNetworks[0]' 127.0.0.0/8 sephiroth-worker override
set_value 'networkRestrictions.excludedNetworks[1]' 192.168.0.0/16 sephiroth-worker override
set_value 'networkRestrictions.excludedNetworks[2]' 10.0.0.0/8 sephiroth-worker override
set_value 'networkRestrictions.excludedNetworks[3]' 169.254.0.0/16 sephiroth-worker override
set_value 'networkRestrictions.excludedNetworks[4]' 172.16.0.0/12 sephiroth-worker override
set_value 'networkRestrictions.authorizedTLDs[0]' .highwind sephiroth-worker override

Please adapt subnets according to your infrastructure.

Advanced settings

You can leverage the cheval tool to get more details about the settings you can change ex: cheval inspect mongodb-shard.

Please not that those are advanced settings. Be sure that you know what you are doing.