Container Firewall Overview
What Is a Container Firewall?
Containers are more lightweight, efficient, and portable than traditional VMs. Dozens, even hundreds of containers can run on a single node. As a result, the security boundaries of containers are blurred, and traditional security measures cannot identify or control the incoming or outgoing traffic of containers. Lateral movement, permission abuse, and data leakage may occur.
To address these challenges, HSS provides the container firewall. The container firewall can isolate pods, workloads, and nodes in a network to prevent lateral movement and minimize permissions, and enhancing security and stability.
Container Firewall Principles and Restrictions
The container firewall is provided by the HSS container edition. For details about how to purchase HSS, see Purchasing an HSS Quota.
For details about the container firewall principles and restrictions, see Table 1.
|
Cluster Type |
CCE Standard Cluster |
CCE Turbo Cluster |
Third-party Kubernetes Cluster |
|
|---|---|---|---|---|
|
Container Network |
Container Tunnel Network |
VPC Network |
Cloud Native Network 2.0 |
Kubernetes Native Network |
|
Container firewall protection principles |
Kubernetes network policies restrict the communication between pods and the access from pods to the external network. |
Security groups control the traffic to and from nodes, thereby indirectly protecting pods. |
You can bind a security group to a workload, and configure security group rules to control the traffic to and from the workload, implementing network isolation for the workload. |
Kubernetes network policies can be used to restrict the communication between pods and the access from pods to the external network. |
|
Cluster versions supporting inbound rules |
All |
All |
v1.19 and later |
All |
|
Cluster versions supporting outbound rules |
v1.23 and later |
All |
v1.19 and later |
v1.23 and later |
|
Selectors for inbound rules |
|
N/A |
N/A |
|
|
Selectors for outbound rules |
|
N/A |
N/A |
|
|
Supported OSs |
|
None |
None |
None |
|
Support for IPv6 network policies |
No |
N/A |
N/A |
No |
|
Support for limiting ClusterIP access through workload labels |
No |
N/A |
N/A |
No |
|
Dependencies |
To operate resource objects in a cluster, you need to obtain either of the following operation permissions:
|
None |
||
Concepts
- Network policy
A network policy is a Kubernetes resource object that defines network access control rules for pods in a cluster. It uses label selectors (such as podSelector) to specify target pods and defines ingress and egress rules to allow or deny inbound or outbound traffic.
- Security group
A security group is a collection of access control rules for instances, such as cloud servers, containers, and databases, that have the same security requirements and that are mutually trusted within a VPC. A security group can have inbound and outbound rules. You need to specify the source, port, and protocol for each inbound rule and specify the destination, port, and protocol for each outbound rule to control the inbound and outbound traffic to and from the instances in the security group.
- namespaceSelector
namespaceSelector is a label selector used to select specific namespaces. A network policy can use namespaceSelector to allow or deny traffic to or from all pods in these namespaces.
- podSelector
podSelector is a label selector. It is used to select pods. A network policy uses podSelector to specify target pods and define rules for allowing or denying traffic.
- ipBlock
ipBlock is used to specify an IP address range (in CIDR format). Traffic from or to the IP address range will be allowed or denied.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
