At the moment I want to introduce some external firewall solution for kubernetes within the AWS. I'm using kops to help build the production environment. It’s a pretty good framework However, I’m new to the AWS network structure and kubernetes is also a new thing for me. What I want to do is setup a firewall for all requests come to the services within the kubernetes. And if someone hacked a container within the kubernetes, he or she cannot attack any other containers in the cluster. Any idea or suggestion?
Setup external firewall network security with kops and aws
249 Views Asked by Yifan Fan At
2
There are 2 best solutions below
0
Rory McCune
On
For general Kubernetes restricting actions at a network level can be done (assuming you're on 1.7) via Network Policies.
In addition to that if you're concerned about malicious containers in your cluster, I'd recommend reviewing the CIS Kubernetes standard to make sure you've locked down your cluster as, out of the box there appear to be some concerns with kops.
Related Questions in AMAZON-WEB-SERVICES
- "Access Denied" - User's Permissions to S3 Bucket
- Cohort analysis with Amazon Redshift / PostgreSQL
- Using Amazon KMS service on Heroku
- can't ssh in after cloning an EC2 instance on Amazon AWS
- Using HDFS with Apache Spark on Amazon EC2
- How can I access Mule ESB Community edition via browser?
- AWS EC2: Migrating from Windows to Linux Server
- AWS ELB Load Balancer: is it possible to set multiple session cookies?
- AWS Flow Framework: Can we run activity worker and activity task on different EC2 instances
- Unable to access files from public s3 bucket with boto
- Cloudfront stream only part of the video
- s3cmd not working as cron-task when echos/dates are added
- How to deploy django 1.8 on Elastic Beanstalk using Docker
- InstanceProfile is required for creating cluster - create python function to install module
- How to fix WordPress HTTPS issues when behind an Amazon Load Balancer?
Related Questions in NETWORKING
- kernel module does not print packet info
- Packet drops in multicast when multiple instance of listner are running
- Timing packets on a traffic server
- How to use Espresso Idling Resource for network calls
- Dummynet does not match on flows
- Sending a notification from OS X to iOS
- Swift ios viewDidLoad or viewDidAppear
- Update player list on all clients on new connection
- Issues regarding multiplayer networking: input
- nmap does not show all open ports
- Getting and Sending Data between a Server and Client
- Read file from local PC from network deployed app to InputStream
- Does iOS block a URL if we couldn't connect to the URL for 'n' times?
- Is Socket.Available guaranteed to throw a SocketException on disconnect?
- android out of cell service
Related Questions in KUBERNETES
- How to know a Pod's own IP address from inside a container in the Pod?
- Who will decide the "specified number of pods" for replication controller in kubernetes?
- Access other containers of a pod in Kubernetes
- Kubernetes cluster using Vagrant not working after restart
- kubectl not installed with gcloud SDK
- How do I access the Kubernetes api from within a pod container?
- Exposing several services with Vagrant and Kubernetes on my own server
- Does Kubernetes provision new VMs for pods on my cloud platform?
- Any suggestion for running Aerospike on Kubernetes on CoreOS on GCE?
- Kubernetes - kubectl exec bash - session drop and line width
- Google Container Engine (GKE): "Hello Wordpress" tutorial not working (ERR_CONNECTION_REFUSED)
- Kubernetes Pod Creation Speed
- How can i set max count of pods for replication-controller per node?
- Is there a way to tell kubernetes to update your containers?
- Postgres with Kubernetes and persistentDisk
Related Questions in KOPS
- Set sysctl key in Kubernetes pod using Kops + Docker 1.11
- Kubernetes Kops and Federation
- Changing the auto-generated kops kubernetes admin password
- Can a single ELB classic (CLB) load balancer direct traffic evenly to multiple auto scaling groups?
- How to assign existing elastic IP to master nodes of kops cluster in AWS
- kops update cluster failed with `error doing DNS lookup for NS records` `no such host`
- Kubernetes podAntiAffinity affects deployment - FailedScheduling - didn't match pod affinity/anti-affinity
- Can I extend serviceNodePortRange in running kops cluster without restart
- Kops nginx-Ingress controller fails to create AWS Network Load Balancer due to permission issue
- oauth2-proxy not working with AWS Network Load Balancer on kubernetes(KOPS)
- Replace a value with a new value in template
- Update etcd and root volume to gp3 with enabled encryption
- We have a kops based k8s cluster running on AWS with deployments using EFS as Persistent Volume; Now we would to migrate to EKS with PVC Deployments
- Error - '''unsupported architecture for instance type "t2.micro": i386''' while creating a Kubernetes Cluster on AWS
- Kops pause cluster should bring EC2 instance cluster in stopped state
Related Questions in DEEPSECURITY
- Deep Security API - Intrusion Prevention Rules - Error
- Unable to parse the data in json format
- Create Anti Malware Configuration using the API
- Trend DeepSecurityManager - API for Scheduled Task Failing in v11.1.227
- DeepSecurity User Signed Off information logs
- Parse Deep Security Logs - AWS Lambda 'splunk-logger' node.js
- Tried to import Mitre 2020 policy but failed
- Pulling AWS accountID from CloudTrail to use in Lambda function
- Access to an API on Powershell does not work
- TrendMicro Deep Security 11 - retrieving computers in "protected" state in terms of antimalware
- #TrendMicro Deep Security 12 - Python or Powershell Code to Example to retrieve "Critical agents" and last communication date from API
- How to create a schedule task to scan malware on a specific folder?
- Maintenance Mode to one computer in Application Control inside Deep Security 12
- Is there an API entrypoint in DS12 to upload agent into DSM?
- Setup external firewall network security with kops and aws
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
OK I finally figured out a solution. At the beginning, I try to use Fortinet Gate with kops. But it's not working and causing a lot of issues...it seems that the change of route table will have some conflict with kops. Anyway, it's not a good idea to reconnect subnets and firewall instances regarding kops. Later we switched to Deep security. All good. The only issue is kops doesn't support custom launch config at the moment. I hope this can help anyone who want to setup security env on kubernetes.