Are Network Policy required if use Istio with CNI plugin

I’m wondering if we still need to use Network Policy for services inside an Istio mesh, as with Istio CNI plugin, in case application was compromised, it can’t leave a mesh?

Thanks,
Yurii

Hi Yurii,

That’s a complicated question to answer, and the answer is of course, “it depends.”

One thing to note is that Istio only intercepts TCP traffic, UDP and other protocols implemented at that layer are not intercepted. So, regardless of whether you use the Istio CNI plug in, if you need to police non-TCP traffic, Network Policy is your best bet on Kubernetes.

The Istio CNI plug in essentially does the exact same thing as the init container, from the standpoint of network configuration. A prime motivation for building it was so that you aren’t required to run a container with privileges to configure networking (CAP_NET_ADMIN). However, using the Istio CNI plug in doesn’t on its own prevent containers from running with those privileges. Any container with those privileges can still reconfigure the network and bypass Envoy if it wants to. You could use pod security polices to restrict that capability in your cluster.

Also consider that by default Istio honors annotations on the pods to not inject the proxy at all. So, you need to ask yourself whether malicious insiders are or are not inside your threat model.

Spike

Hi @spikecurtis,

Thanks a lot for your detailed answer. So, I assume, in case applications use http, we can deny all udp traffic with Network policy and use pod security policy with cni plugin, to achieve the goal of single place to manage access restrictions.

It’s unlikely you’ll want to totally deny all UDP traffic, since you’ll almost certainly want to allow DNS (port 53). But yeah, you could lock down UDP with a network policy and then manage HTTP using Istio.

I’ll also shamelessly plug Project Calico as a way to manage both network policy and HTTP-layer policy in a single management API. Calico plugs into Istio to handle access control in both Envoy and Kubernetes Network Policy. https://docs.projectcalico.org/v3.7/security/app-layer-policy/