Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,57 @@
# Standards and References - Kubernetes Network Policy with Calico
## Industry Standards
### NIST SP 800-190: Application Container Security Guide
- Section 4.4: Container Networking - Isolate container network traffic using network policies
- Section 5.3: Network Security - Implement micro-segmentation between containers
- Recommends default-deny policies with explicit allowlisting
### CIS Kubernetes Benchmark v1.8
- 5.3.1: Ensure that the CNI in use supports Network Policies
- 5.3.2: Ensure that all Namespaces have Network Policies defined
- 5.3.3: Ensure that the default namespace does not contain any pods
### NIST SP 800-53 Rev 5
- SC-7: Boundary Protection - Implement network segmentation controls
- AC-4: Information Flow Enforcement - Control network traffic between pods
- SC-7(5): Deny by Default / Allow by Exception
### NSA/CISA Kubernetes Hardening Guide v1.2
- Section 3: Network Separation and Hardening
- Use network policies to isolate workloads
- Implement default deny ingress and egress policies
- Limit pod-to-pod communication to minimum required
## Calico Documentation References
| Resource | URL |
|----------|-----|
| Calico NetworkPolicy | https://docs.tigera.io/calico/latest/network-policy/get-started/calico-policy/calico-network-policy |
| Kubernetes Policy Tutorial | https://docs.tigera.io/calico/latest/network-policy/get-started/kubernetes-policy/kubernetes-policy-basic |
| GlobalNetworkPolicy | https://docs.tigera.io/calico/latest/reference/resources/globalnetworkpolicy |
| Policy Tiers | https://docs.tigera.io/calico-enterprise/latest/network-policy/policy-tiers/tiered-policy |
| Calico eBPF Dataplane | https://docs.tigera.io/calico/latest/operations/ebpf/enabling-ebpf |
## Zero Trust Network Model
### Principles Applied
1. **Never trust, always verify** - Default deny all traffic between pods
2. **Least privilege access** - Only allow specific required communication paths
3. **Micro-segmentation** - Isolate workloads at pod-to-pod granularity
4. **Identity-based policies** - Use service accounts and labels for policy selection
5. **Continuous monitoring** - Log and alert on denied traffic patterns
## Compliance Mappings
### PCI DSS v4.0
- Requirement 1.2.1: Restrict inbound and outbound traffic to that which is necessary
- Requirement 1.3.1: Inbound traffic is restricted to that which is necessary
- Requirement 1.3.2: Outbound traffic is restricted to that which is necessary
### SOC 2 Type II
- CC6.1: Logical access security - Network isolation between components
- CC6.6: Network boundaries - Restrict access at network boundaries
### HIPAA
- 164.312(e)(1): Transmission Security - Protect data in transit between services
@@ -0,0 +1,195 @@
# Workflow - Implementing Kubernetes Network Policy with Calico
## Phase 1: Discovery and Planning
### Map Application Communication Flows
```bash
# Identify all namespaces
kubectl get namespaces
# List all services per namespace
kubectl get svc --all-namespaces -o wide
# Identify pod labels
kubectl get pods --all-namespaces --show-labels
# Check existing network policies
kubectl get networkpolicy --all-namespaces
```
### Document Required Traffic Flows
Create a traffic matrix documenting:
- Source pod/namespace -> Destination pod/namespace
- Protocol and port
- Business justification
## Phase 2: Install and Verify Calico
```bash
# Install Tigera operator
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/tigera-operator.yaml
# Wait for operator
kubectl wait --for=condition=Available deployment/tigera-operator -n tigera-operator --timeout=120s
# Install Calico custom resources
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/custom-resources.yaml
# Verify all Calico pods are running
kubectl get pods -n calico-system -w
# Install calicoctl as a pod
kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calicoctl.yaml
# Verify node status
kubectl exec -n calico-system calicoctl -- calicoctl node status
```
## Phase 3: Apply Default Deny Policies
### Step 1 - Create DNS Allow Policy First
```bash
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to: []
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
EOF
```
### Step 2 - Apply Default Deny Ingress
```bash
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
EOF
```
### Step 3 - Apply Default Deny Egress
```bash
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
EOF
```
### Step 4 - Apply Allow Rules per Traffic Flow
```bash
# Allow frontend to backend
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
EOF
```
## Phase 4: Validate Policies
### Connectivity Testing
```bash
# Test allowed path (should succeed)
kubectl exec -n production deploy/frontend -- wget -qO- --timeout=5 http://backend-svc:8080/health
# Test blocked path (should timeout/fail)
kubectl exec -n production deploy/frontend -- wget -qO- --timeout=5 http://database-svc:5432
# Test cross-namespace (should fail if denied)
kubectl exec -n staging deploy/test -- wget -qO- --timeout=5 http://backend-svc.production:8080/health
```
### Monitor Denied Connections
```bash
# Check Calico logs for denied connections
kubectl logs -n calico-system -l k8s-app=calico-node --tail=50 | grep -i deny
# Enable flow logs (Calico Enterprise)
kubectl exec -n calico-system calicoctl -- calicoctl get felixconfiguration default -o yaml
```
## Phase 5: Advanced Calico Policies
### Apply Global Security Baseline
```bash
kubectl exec -n calico-system calicoctl -- calicoctl apply -f - <<EOF
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: security-baseline
spec:
order: 100
types:
- Ingress
- Egress
egress:
- action: Allow
protocol: UDP
destination:
ports:
- 53
- action: Allow
protocol: TCP
destination:
ports:
- 53
ingress:
- action: Allow
source:
selector: "projectcalico.org/namespace in {'kube-system', 'monitoring'}"
EOF
```
## Phase 6: Ongoing Operations
### Regular Policy Audits
1. Review traffic flow matrix monthly
2. Validate policies match documented flows
3. Remove stale policies for decommissioned services
4. Update policies when new services are deployed
### Incident Response
1. If suspicious traffic detected, apply emergency deny policy
2. Analyze Calico flow logs for investigation
3. Identify compromised pod via workload endpoint
4. Isolate pod by applying targeted deny policy