Network Policy Recommendations
Network Policy Within a Mesh
In the context of a service mesh, Network Policies are set of rules and configurations that defines how various microservices can communicate with one another over the network. These policies play a pivotal role in controlling traffic flows, enforcing security measures and maintaining compliance within the service mesh architecture. Network Policies enable organizations to control communication between services by specifying permitted services, protocols, ports, and the allowable data types for exchange at the L3/L4 layer. This precise control stops unauthorized access, reduces areas vulnerable to attacks, and guarantees communication solely among trusted sources.
Network Policy & Zero Trust Architecture
Adding to the ideas of a service mesh, the Zero Trust Architecture (ZTA) approach to security considers that no user or device, whether from inside or outside the organization's network, should be automatically trusted. Instead of relying on old-fashioned perimeter defenses, ZTA emphasizes confirming identity and allowing access through rigorous authentication and authorization steps. You can learn more about it here.
What are the Challenges?
While TSB currently offers many security advantages via intelligent user controls and customized hierarchical access policies, the challenge arises when organizations aim to integrate Cilium or Calico network policies alongside existing identity-based access policies within a service mesh infrastructure. This situation necessitates the management of two distinct sets of policies, overseen by separate roles – Security Admins and Platform Owners, contributing to the complexities encountered by many organizations today.
How organizations can keep both identity based mesh access control policies and L3/L4 based network policies in sync. This is what TSB addresses by introducing Network Policy Recommendations
.
What is Network Policy Recommendation?
Starting from TSB 1.7.0 version, TSB has the ability to suggest Kubernetes Network Policies. These recommendations are derived from the Hierarchical Access Control Policies set up by the Platform Owner or Application Owner, who handles these policies within TSB.
Any flows that would be allowed/denied by the recommended network policies are already allowed/denied by the TSB configuration. The policies are provided as a convenience, and are provided in a form that can be easily managed and understood by security teams and Kubernetes administrators. You can inspect the network policies to verify that TSB is applying appropriate access control policies to your mesh.
This feature can be enabled on each control plane cluster by setting ENABLE_NETWORK_POLICY_TRANSLATION
to true
in XCP component in ControlPlane
CR. Once enabled, the recommended network policies are stored as namespace scoped configmap in the dedicated control plane clusters. Platform owner/Security owner who manages network specific access controls,
can retrieve these policies from the configmap and verify & apply the policies in their desired namespaces.
apiVersion: install.tetrate.io/v1alpha1
kind: ControlPlane
metadata:
name: controlplane
namespace: istio-system
spec:
components:
xcp:
...
kubeSpec:
overlays:
- apiVersion: install.xcp.tetrate.io/v1alpha1
kind: EdgeXcp
name: edge-xcp
patches:
- path: spec.components.edgeServer.kubeSpec.deployment.env
value:
- name: ENABLE_NETWORK_POLICY_TRANSLATION
value: "true"
...
...
What are the Use-cases?
TSB mostly focuses on the following use-cases -
- Recommendations to Secure North-South Traffic - external traffic ingressing via Edge Gateway or Ingress Gateway into applications
- Recommendations to Secure East-West Traffic - service to service access restrictions within mesh based on the identity of the service, who owns it and who all can access it