II. Restricting pod-to-pod traffic
In this section, we show you how to adopt a stronger security posture, sometimes referred to as zero trust. We will no longer assume that all pods within the hipster shop application can be trusted. Instead, we restrict pod-to-pod communications to the minimum necessary.
By blocking unnecessary communications between pods, we can minimize the blast radius of a compromised pod.
For example, if an attacker gains access to the
frontend pod, they will be unable to reach the
Each pod has a label defining their role using the following syntax:
Our policies use these labels to block unnecessary pod traffic.
At this stage our hipster shop application is still under development.
All of the pods have the label
In the next section, we will deploy the hipster shop application into production.
The pods in the production hipster shop application will have the label
We will apply a policy in this section that uses these tags to prevent the pods in the development application from communicating with the pods in the production application.
Importing the external network and network policy definition
We provide a predefined YAML file containing the external networks and network policies. You can use either of the following methods to import it.
If you have
apoctl installed, you can use the following command to import the YAML file.
cat <<EOF | apoctl api import -n $APOCTL_NAMESPACE/cluster1/hipster-dev -f - APIVersion: 0 data: externalnetworks: - associatedTags: - 'ext:network=dns' description: all dns entries: - 0.0.0.0/0 name: dns ports: - '53' protocols: - udp - tcp - associatedTags: - 'ext:network=any' description: ' any ip' entries: - 0.0.0.0/0 name: internet protocols: - tcp - udp - associatedTags: - 'ext:network=metadata' description: cloud metadata entries: - 169.254.169.254 name: metadata ports: - '80' - '443' networkaccesspolicies: - description: allow outbound cloud metadata logsEnabled: true name: cloud-metadata object: - - 'ext:network=metadata' subject: - - project=companystore - description: ring fence policy disabled: true encryptionEnabled: true logsEnabled: true name: company-store object: - - project=companystore subject: - - project=companystore - description: allow dns name: dns object: - - 'ext:network=dns' subject: - - '\$identity=processingunit' - description: hipstershop logsEnabled: true name: frontend-inbound object: - - app=frontend subject: - - 'ext:network=any' - description: hipstershop logsEnabled: true name: outbound-allow object: - - 'ext:network=any' subject: - - app=emailservice - description: hipstershop encryptionEnabled: true logsEnabled: true name: cartservice object: - - app=redis-cart subject: - - app=cartservice - description: hipstershop encryptionEnabled: true logsEnabled: true name: checkoutservice object: - - app=emailservice - - app=paymentservice - - app=shippingservice - - app=currencyservice - - app=productcatalogservice - - app=cartservice subject: - - app=checkoutservice - description: hipstershop logsEnabled: true name: frontend object: - - app=adservice - - app=checkoutservice - - app=shippingservice - - app=currencyservice - - app=productcatalogservice - - app=recommendationservice - - app=cartservice subject: - - app=frontend - description: hipstershop logsEnabled: true name: load-generator object: - - app=frontend subject: - - app=loadgenerator - description: hipstershop encryptionEnabled: true logsEnabled: true name: recommendationservice object: - - app=productcatalogservice subject: - - app=recommendationservice - action: Reject description: env seperation logsEnabled: true name: deny-dev-to-prod object: - - env=prod subject: - - env=dev - action: Reject description: env separation logsEnabled: true name: deny-prod-to-dev object: - - env=dev subject: - - env=prod identities: - externalnetwork - networkaccesspolicy label: Free Trial EOF
Skip to Reviewing the results.
Using the Aporeto web interface
Use the following command to download the
wget \ https://raw.githubusercontent.com/aporeto-inc/microservices-demo/master/release/pod-to-pod.yaml
hipster-devnamespace in the Aporeto web interface, expand Data Management and select Import/Export.
Drag and drop the
pod-to-pod.yamlfile into the Import window.
Select Import at the bottom to apply the configuration file.
Reviewing the results
hipster-devnamespace in the Aporeto web interface, expand Network Authorization and select Policies.
Review the new network policies, observing:
- The network policy we enabled in Encrypting pod-to-pod traffic and restricting external connections has been disabled.
- Pods in the development environment cannot communicate with pods in the production environment
Go shopping in the hipster shop and make a fake purchase on your secured application.
Select Platform. You will notice some red lines to
Somewhere. These lines represent unauthorized data exfiltration from your application, blocked by the network policy we just applied. Notice the connections from the fake attacker have turned red, indicating the connections are blocked.
Click on any green line. Observe the allowed communication flows under Access and associated policy under Policies. Notice the lock icon on the green flows indicating that Aporeto has enabled mutual TLS encryption between the pods in the application.
- You have further secured the Hipster Shop with more granular network policies for a zero trust posture.
- You've blocked the attacking pod.
- No IP addresses were used to secure the application.
- The security applied is based on cryptographic identity.