Documentation

Securing host communications

Enabling host protection prevents unauthorized incoming connections to the host and allows you to minimize the lateral movements of any attackers that may gain access.

By default, Aporeto recognizes only containers on the host as processing units. After enabling host protection, Aporeto recognizes the host itself as a processing unit. This allows you to control and monitor all communications to and from the host, not just its containers.

In Kubernetes and OpenShift environments, the kubelet is installed as a system service: kubelet.service or atomic-openshift-node.service. Unless you enable host protection, Aporeto won’t recognize the kubelet as a processing unit, preventing you from controlling its communications with network policies. In addition, Aporeto will show the kubelet as Somewhere in the Platform pane of the Aporeto web interface. Note that the kubelet executes readinessProbe and livenessProbe checks, which are very common.

We recommend enabling host protection on your Kubernetes and OpenShift hosts to achieve:

  • Better visibility into the actual origin and destination of kubelet communications
  • Ability to allow readinessProbe and livenessProbe checks

IMPORTANT

Aporeto denies all traffic by default. You must allow the necessary traffic before enabling host protection. Otherwise, you will lose access to your host.

To enable host protection, refer to the procedure that corresponds to your target host.