Prerequisites
editPrerequisites
editTo set up the network policies correctly you must know the operator Pod selector and the Kubernetes API server IP. They may vary depending on your environment and how the operator has been installed.
Operator Pod selector
editThe operator Pod label depends on how the operator has been installed. Check the following table to know which label name is used in the network policies.
Installation method | Pod selector |
---|---|
YAML manifests |
|
Helm Charts |
|
The examples in this section assume that the ECK operator has been installed using the Helm chart.
Kubernetes API server IP
editRun kubectl get endpoints kubernetes -n default
to obtain the API server IP address for your cluster.
The following examples assume that the Kubernetes API server IP address is 10.0.0.1
.
Isolating the operator
editThe minimal set of permissions required are as follows:
Egress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: elastic-operator namespace: elastic-system spec: egress: - ports: - port: 53 protocol: UDP - ports: - port: 443 protocol: TCP to: - ipBlock: cidr: 10.0.0.1/32 - ports: - port: 9200 protocol: TCP to: - namespaceSelector: matchExpressions: - key: eck.k8s.elastic.co/tenant operator: In values: - team-a - team-b podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch ingress: - from: - ipBlock: cidr: 10.0.0.1/32 ports: - port: 9443 protocol: TCP podSelector: matchLabels: app.kubernetes.io/name: elastic-operator
Isolating Elasticsearch
editEgress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: eck-elasticsearch namespace: team-a spec: egress: - ports: - port: 9300 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch - ports: - port: 53 protocol: UDP ingress: - from: - namespaceSelector: matchLabels: eck.k8s.elastic.co/operator-name: elastic-operator podSelector: matchLabels: app.kubernetes.io/name: elastic-operator - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a # [Optional] Allow ingress controller pods from the ingress-nginx namespace. #- namespaceSelector: # matchLabels: # name: ingress-nginx ports: - port: 9200 protocol: TCP - from: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch ports: - port: 9300 protocol: TCP podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch
Isolating Kibana
editEgress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: eck-kibana namespace: team-a spec: egress: - ports: - port: 9200 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch # [Optional] Restrict to a single Elasticsearch cluster named hulk. # elasticsearch.k8s.elastic.co/cluster-name=hulk - ports: - port: 53 protocol: UDP # [Optional] If Agent is deployed, this is to allow Kibana to access the Elastic Package Registry (https://epr.elastic.co). # - port: 443 # protocol: TCP ingress: - from: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a # [Optional] Allow ingress controller pods from the ingress-nginx namespace. #- namespaceSelector: # matchLabels: # name: ingress-nginx ports: - port: 5601 protocol: TCP podSelector: matchLabels: common.k8s.elastic.co/type: kibana
Isolating APM Server
editEgress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: eck-apm-server namespace: team-a spec: egress: - ports: - port: 9200 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch - ports: - port: 5601 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: kibana - ports: - port: 53 protocol: UDP ingress: - from: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a # [Optional] Allow ingress controller pods from the ingress-nginx namespace. #- namespaceSelector: # matchLabels: # name: ingress-nginx ports: - port: 8200 protocol: TCP podSelector: matchLabels: common.k8s.elastic.co/type: apm-server
Isolating Enterprise Search
editEgress (outgoing) |
|
Ingress (incoming) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: eck-enterprise-search namespace: team-a spec: egress: - ports: - port: 9200 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch - ports: - port: 53 protocol: UDP ingress: - from: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a # [Optional] Allow ingress controller pods from the ingress-nginx namespace. #- namespaceSelector: # matchLabels: # name: ingress-nginx ports: - port: 3002 protocol: TCP podSelector: matchLabels: common.k8s.elastic.co/type: enterprise-search
Isolating Beats
editSome Beats may require additional access rules than what is listed here. For example, Heartbeat will require a rule to allow access to the endpoint it is monitoring.
Egress (outgoing) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: eck-beats namespace: team-a spec: egress: - ports: - port: 9200 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch - ports: - port: 5601 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: kibana - ports: - port: 53 protocol: UDP podSelector: matchLabels: common.k8s.elastic.co/type: beat
Isolating Elastic Agent and Fleet
editSome Elastic Agent policies may require additional access rules other than those listed here.
Egress (outgoing) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: eck-agent namespace: team-a spec: egress: - ports: - port: 8220 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: agent - ports: - port: 5601 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: kibana - ports: - port: 9200 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch - ports: - port: 53 protocol: UDP - ports: - port: 443 protocol: TCP to: - ipBlock: cidr: 10.0.0.1/32 ingress: - from: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a ports: - port: 8220 protocol: TCP podSelector: matchLabels: common.k8s.elastic.co/type: agent
Isolating Logstash
editLogstash may require additional access rules than those listed here, depending on plugin usage.
Egress (outgoing) |
|
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: eck-logstash namespace: team-a spec: egress: - ports: - port: 9200 protocol: TCP to: - namespaceSelector: matchLabels: eck.k8s.elastic.co/tenant: team-a podSelector: matchLabels: common.k8s.elastic.co/type: elasticsearch - ports: - port: 53 protocol: UDP podSelector: matchLabels: common.k8s.elastic.co/type: logstash