Question 13: Restrict access to Metadata Server

Problem Statement

Solve this question on: ssh cks3477

There is a metadata service available at http://192.168.100.21:32000 on which Nodes can reach sensitive data, like cloud credentials for initialisation. By default, all Pods in the cluster also have access to this endpoint. The DevSecOps team has asked you to restrict access to this metadata server.

In Namespace metadata-access:

  1. Create a NetworkPolicy named metadata-deny which prevents egress to 192.168.100.21 for all Pods but still allows access to everything else
  2. Create a NetworkPolicy named metadata-allow which allows Pods having label role: metadata-accessor to access endpoint 192.168.100.21
There are existing Pods in the Namespace with which you can test your policies, but don't alter their labels.

Solution

Step 1: Check Current State

First, let's check the Pods in the Namespace and their labels: 

➜ ssh cks3477

➜ candidate@cks3477:~# k -n metadata-access get pods --show-labels
NAME                   ...  LABELS
pod1-56769f56fd-jd6sb  ...  app=pod1,pod-template-hash=56769f56fd
pod2-6f585c6f45-r6qqt  ...  app=pod2,pod-template-hash=6f585c6f45
pod3-67f7488665-7tn8x  ...  app=pod3,pod-template-hash=67f7488665,role=metadata-accessor

Let's verify current access to the metadata server:

➜ candidate@cks3477:~# k exec -it -n metadata-access pod1-56769f56fd-jd6sb -- curl http://192.168.100.21:32000
metadata server

➜ candidate@cks3477:~# k exec -it -n metadata-access pod2-6f585c6f45-r6qqt -- curl http://192.168.100.21:32000
metadata server

➜ candidate@cks3477:~# k exec -it -n metadata-access pod3-67f7488665-7tn8x -- curl http://192.168.100.21:32000
metadata server
Step 2: Create Deny Policy

Create a NetworkPolicy to deny access to the metadata server: 

➜ candidate@cks3477:~# vim 13_metadata-deny.yaml
# 13_metadata-deny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: metadata-deny
  namespace: metadata-access
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 192.168.100.21/32

➜ candidate@cks3477:~# k -f 13_metadata-deny.yaml apply

Let's verify the policy works:

➜ candidate@cks3477:~# k exec -it -n metadata-access pod1-56769f56fd-jd6sb -- curl -m 2 http://192.168.100.21:32000
curl: (28) Connection timed out after 2001 milliseconds
command terminated with exit code 28

➜ candidate@cks3477:~# k exec -it -n metadata-access pod2-6f585c6f45-r6qqt -- curl -m 2 http://192.168.100.21:32000
curl: (28) Connection timed out after 2001 milliseconds
command terminated with exit code 28

➜ candidate@cks3477:~# k exec -it -n metadata-access pod3-67f7488665-7tn8x -- curl -m 2 http://192.168.100.21:32000
curl: (28) Connection timed out after 2001 milliseconds
command terminated with exit code 28

Verify other endpoints are still accessible:

➜ candidate@cks3477:~# k exec -it -n metadata-access pod1-56769f56fd-jd6sb -- curl --head -m 2 https://kubernetes.io
HTTP/2 200 
...
Step 3: Create Allow Policy

Create a NetworkPolicy to allow access for specific Pods:

➜ candidate@cks3477:~# vim 13_metadata-allow.yaml
# 13_metadata-allow.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: metadata-allow
  namespace: metadata-access
spec:
  podSelector:
    matchLabels:
      role: metadata-accessor
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 192.168.100.21/32

➜ candidate@cks3477:~# k -f 13_metadata-allow.yaml apply

Verify the policy works:

➜ candidate@cks3477:~# k exec -it -n metadata-access pod1-56769f56fd-jd6sb -- curl -m 2 http://192.168.100.21:32000
curl: (28) Connection timed out after 2001 milliseconds
command terminated with exit code 28

➜ candidate@cks3477:~# k exec -it -n metadata-access pod2-6f585c6f45-r6qqt -- curl -m 2 http://192.168.100.21:32000
curl: (28) Connection timed out after 2001 milliseconds
command terminated with exit code 28

➜ candidate@cks3477:~# k exec -it -n metadata-access pod3-67f7488665-7tn8x -- curl -m 2 http://192.168.100.21:32000
metadata server
The NetworkPolicies have been successfully implemented:
  • The metadata-deny policy blocks access to 192.168.100.21 for all Pods
  • The metadata-allow policy allows access to 192.168.100.21 for Pods with label role=metadata-accessor
  • Other network access remains unaffected
Security Note: Using a NetworkPolicy with ipBlock+except might cause security issues due to too open permissions. Consider using CiliumNetworkPolicy which supports deny rules for better security control.
Back to Questions List