Kubernetes is a popular container orchestration platform that allows you to manage and scale containerized applications. However, it is essential to secure your Kubernetes cluster against malicious attacks, and one common threat is Denial of Service (DoS) attacks. In this article, we will discuss how to configure deny service external IPs in Kubernetes to prevent such attacks.
Step 1: Create a Namespace
The first step is to create a namespace for the deployment. To create a new namespace, use the following command:
kubectl create namespace <namespace-name>
Replace <namespace-name> with a suitable name for your namespace.
Step 2: Create a Deployment
The next step is to create a deployment in your new namespace. You can use the following YAML configuration to create a deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: <deployment-name>
namespace: <namespace-name>
spec:
replicas: 3
selector:
matchLabels:
app: <deployment-name>
template:
metadata:
labels:
app: <deployment-name>
spec:
containers:
- name: <container-name>
image: <image-name>
ports:
- containerPort: 80
Replace <deployment-name>, <namespace-name>, <container-name>, and <image-name> with suitable values for your deployment.
Step 3: Create a Service
Now that you have created a deployment, you need to expose it using a service. You can create a service using the following YAML configuration:
apiVersion: v1
kind: Service
metadata:
name: <service-name>
namespace: <namespace-name>
spec:
selector:
app: <deployment-name>
ports:
- protocol: TCP
port: 80
targetPort: 80
Replace <service-name> and <namespace-name> with suitable values for your service and namespace, respectively. Replace <deployment-name> with the name of the deployment you created in the previous step.
Step 4: Configure Network Policies
Now that you have created a deployment and a service, you can configure network policies to deny service external IPs. You can create a network policy using the following YAML configuration:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: <policy-name>
namespace: <namespace-name>
spec:
podSelector:
matchLabels:
app: <deployment-name>
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
Replace <policy-name>, <namespace-name>, and <deployment-name> with suitable values for your network policy, namespace, and deployment, respectively.
Step 5: Verify the Configuration
To verify the configuration, you can test the service by sending a request from a pod in the same namespace. You can use the following command to create a test pod:
kubectl run -it --rm test --image=alpine --restart=Never -- /bin/sh
Once you are inside the test pod, you can use the following command to send a request to the service:
wget -qO- <service-name>.<namespace-name>.svc.cluster.local
Replace <service-name> and <namespace-name> with the name of your service and namespace, respectively.
If the configuration is correct, you should receive a response from the service. However, if you try to access the service from an external IP, the request should be denied.
Related Searches and Questions asked:
That's it for this post. Keep practicing and have fun. Leave your comments if any.