Network

:toc:-title: In this section:

Network isolation

Every SD Elements component can be configured to filter out unauthorized network communications. This is accomplished by utilizing NetworkPolicy resources that Helm automatically generates when the global.networkIsolation option is set to a value other than its default (none).

Requirements

This feature requires Container Network Interface (CNI) providers such as Cilium for Kubernetes, and OVN-Kubernetes for OpenShift. OpenShift SDN is also supported for namespace and ingress network isolation levels.

Acceptable values for global.networkIsolation

  • none: disables this feature, allowing each pod to freely communicate with all other pods and resources located within or outside the cluster.

  • namespace: permits pod-to-pod communication within the current Kubernetes namespace while blocking most communications initiated by pods and resources in other namespaces. All outbound traffic is permitted.

  • ingress: each component can only receive network connections from pods and resources that have been expressly authorized. All outbound traffic is permitted. We feel that this option provides the ideal balance between security and usability, as customers may utilize the default ruleset without performing extensive tuning, and the likelihood of lateral movement in the event of a compromise is significantly reduced.

  • full: SDE components can only establish network connections with pods and resources that have been expressly authorized. By default, all outbound traffic is prohibited. Substantial tuning is required for this choice, which may necessitate the assistance of the SDE Support group.

Configuration examples

Add one of the following configurations to an overlay (e.g. values.custom.yaml) file according to the desired security level.

Disable network isolation

global:
  networkIsolation: "none"

Enable ingress-level network isolation

global:
  networkIsolation: "ingress"

Additional rules

When global.networkIsolation is set to either ingress or full, extra rules may be required to facilitate connections between pods that are not ordinarily supposed to exchange data.

In this example, we will add a rule to allow NGINX ingress pods with label app.kubernetes.io/name: ingress-nginx from the Kubernetes namespace ingress-nginx to access the MinIO console UI on port 9001. To accomplish this, we will copy the networkPolicy section that refers to MinIO and all its rules from values.yaml to values.custom.yaml. After that, we will simply append a new selectors block like the following one:

networkPolicies:
  minio:
    podSelector:
      matchLabels:
        app: minio
    ingress:
      - selectors:
        ...omitted for brevity...
      - selectors:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: "ingress-nginx"
          podSelector:
            matchLabels:
              app.kubernetes.io/name: ingress-nginx
        ports:
          - port: '9001'

Once applied this configuration, we can run kubectl get netpol -o custom-columns=:metadata.name | grep np-minio | xargs kubectl get netpol -o yaml, to see the changes reflected into MinIO’s NetworkPolicy. Specifically, the following block should appear:

  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: ingress-nginx
      podSelector:
        matchLabels:
          app.kubernetes.io/name: ingress-nginx
    ports:
    - port: 9001
      protocol: TCP

IPv6 support

IPv6 is the most recent version of the Internet Protocol. It offers several improvements over IPv4, including a larger address space, and greater scalability and network efficiency in Kubernetes.

SD Elements can be configured to work with standard IPv4 addressing (default), or IPv6-only fashion by tuning the value for global.ipFamilies. Although it is possible to use SD Elements in a dual-stack (IPv4 + IPv6) configuration, this mode is unsupported and its adoption is discouraged due to the increased infrastructure network complexity.

Requirements

This feature requires an IPv6-enabled Kubernetes version greater than or equal to 1.24.

If the Kubernetes cluster is not configured to use NAT64 and DNS64, external addresses that don’t expose IPv6 endpoints will be unreachable.

Configuration examples

By default, SD Elements runs in IPv4-only mode. To configure it to run in IPv6-only mode, add the following configuration to an overlay (e.g. values.custom.yaml).

General IPv6-only configuration

global:
  ipFamilies:
    - IPv6

In addition, it may be necessary to adjust the configurations of other components, as discussed in the following sections.

Nginx Ingress controller configuration

When using a dedicated Nginx ingress controller, it is also needed to report the IPv6 value in ingress-nginx.controller.service.ipFamilies.

ingress-nginx:
  enabled: true
  controller:
    service:
      ipFamilies:
        - IPv6

Example with all the IPv6 configurations above

global:
  ipFamilies:
    - IPv6
  sharedStorage:
    s3Url: https://s3.dualstack.us-east-1.amazonaws.com
    ...

sc-mail:
  config:
    relayNetworks: "fd00:c00b:1::/112"

ingress-nginx:
  controller:
    service:
      ipFamilies:
      - IPv6
  ...

Mailer service configuration

When using an external service to complete the message delivery, it is necessary to verify that its endpoint is also reachable via IPv6.

The configuration for the SD Elements mailer needs to be also adjusted to enable it to relay messages for the cluster’s CIDR thus ensuring that notifications are correctly relayed. In the following snippet of code, we assume that fd00:c00b:1::/112 is the cluster’s IPv6 CIDR for our Kubernetes installation:

sc-mail:
  config:
    relayNetworks: "fd00:c00b:1::/112"

results matching ""

    No results matching ""