Recommended NetworkPolicy for Istiod in EKS

alphonseha · June 15, 2021, 7:38pm

Hi Folks,

 What is the recommended NetworkPolicy for Istiod in EKS?
 Istiod runs as a POD within the K8s cluster and I want to ensure that traffic only from kube-api server is allowed to this POD.

 For an On-Prem deployment, the kube-api server also runs as a static pod and is identifiable using label `component=kube-apiserver,tier=control-plane`

 In case of EKS, the kube-api server is part of the managed control plane and it's not addressable via similar labels as mentioned above. In that situation, what is the suggested mechanism to enforce a restriction that traffic only from kube-api server reaches the Istio POD?

There are options to enforce this using CIDR(Calico CNI plugin) or DNS hostnames(Cilium CNI plugin).

Are there are any other available options to achieve this?

Thanks,
Alphonse

Topic		Replies	Views
Istio and Kubernetes Network Policies Security	1	484	January 6, 2020
Blocking traffic with Istio Networking	6	3114	July 11, 2019
Multicluster control options for gateway Security	2	551	April 16, 2020
Istio-proxy should be using Pod IPs instead of ServiceIPs on Kubernetes Networking	0	355	February 3, 2022
Avoid istio routing inside the container Networking	0	400	February 18, 2022

Recommended NetworkPolicy for Istiod in EKS

Related Topics