All posts
August 25, 20223 min read

Kubernetes Network Policies: SSH Access via a Proxy

Kubernetes is the backbone of modern container orchestration, and managing access within this environment is essential for maintaining a secure and scalable system. While Kubernetes Network Policies are often seen as tools for controlling pod-to-pod communication, they can also play a critical role in ensuring secure SSH access to workloads by enforcing network restrictions and introducing proxies for controlled access. Let’s unpack how Kubernetes Network Policies can be used to secure SSH traf

Free White Paper

SSH Access Management + Database Access Proxy: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Kubernetes is the backbone of modern container orchestration, and managing access within this environment is essential for maintaining a secure and scalable system. While Kubernetes Network Policies are often seen as tools for controlling pod-to-pod communication, they can also play a critical role in ensuring secure SSH access to workloads by enforcing network restrictions and introducing proxies for controlled access.

Let’s unpack how Kubernetes Network Policies can be used to secure SSH traffic via a proxy, best practices for implementation, and how to simplify visibility and observability for these policies.

What Are Kubernetes Network Policies?

Kubernetes Network Policies are rules that allow administrators to control traffic flow at the IP address or CIDR block level between Kubernetes resources. They can restrict both ingress and egress traffic, ensuring workloads only communicate with approved peers.

By default, all traffic in Kubernetes namespaces is open unless policies are explicitly enforced. This makes Network Policies a linchpin for securing your cluster’s internal operations. For workloads requiring SSH access, Network Policies can help you limit access to specific IPs, ports, or services, ensuring tighter control and cutting off unnecessary attack vectors.

Why You Should Use a Proxy for SSH Access in Kubernetes

SSH access to Kubernetes workloads introduces risks if unmanaged. A proxy provides a secure middle ground for routing SSH traffic, avoiding direct access to pods or nodes. It also adds a layer of observability and auditing for every remote access attempt.

Key benefits of using a proxy for Kubernetes SSH traffic:

  1. Granular Control: Restrict SSH traffic to predefined networks or user groups.
  2. Auditing and Logging: Monitor all SSH requests by channeling them through the proxy.
  3. Scaling Security: Patch and scale proxy configurations independently of your workloads.

By combining Kubernetes Network Policies with a proxy, administrators can ensure SSH traffic only enters and exits through a secure, auditable channel.

Setting Up SSH Access via a Proxy

Step 1: Deploy a Proxy for SSH

Start by introducing an SSH Bastion host or similar proxy mechanism within your Kubernetes cluster. This host will act as the sole entry point for all SSH traffic. OpenSSH, Teleport, or any lightweight SSH proxy service can be a good fit.

Continue reading? Get the full guide.

SSH Access Management + Database Access Proxy: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

For example:

  • Use a pod running an OpenSSH server as your Bastion host.
  • Expose the Bastion host through a Kubernetes Service.

Your proxy configuration depends on your needs, but ensure that your Bastion host is positioned to enforce access restrictions.

Step 2: Create Kubernetes Network Policies for Restricted Traffic

Once the Bastion host is operational, Kubernetes Network Policies can enforce SSH traffic to pass only through the proxy.

Here’s an example NetworkPolicy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: restrict-ssh-access
 namespace: your-namespace
spec:
 podSelector: {}
 ingress:
 - from:
 - podSelector:
 matchLabels:
 app: ssh-bastion-host
 ports:
 - protocol: TCP
 port: 22

This policy restricts ingress traffic to port 22 (SSH), narrowing access to the Bastion host within your namespace. Apply a similar egress rule to ensure no direct pod-to-session access bypassing the proxy.

Step 3: Test and Monitor Enforced SSH Access

Validate that the Network Policies are functioning by attempting SSH connections both through and outside the proxy. Tools like kubectl exec or real-world SSH clients can help verify connection patterns.

Observing network flows through tools like kubectl describe networkpolicy or external monitoring solutions gives confidence in released configurations.

Simplifying Network Policy Observability

Implementing Kubernetes Network Policies for SSH proxies introduces a layer of complexity. Observability becomes crucial to understanding if your rules are working as intended.

This is where tools like hoop.dev can transform your experience. With visualized network flows, real-time insights into policy enforcement, and rapid debugging of traffic issues, hoop.dev lets you verify rules in minutes. No more blind guesses about whether your SSH policies protect your workloads — see it live in just a few clicks.

Final Thoughts

Kubernetes Network Policies help secure your workloads. When coupled with a proxy for SSH access, they offer a robust approach to managing and monitoring connections. Establish precise control, audit traffic, and ensure your workloads remain protected from unauthorized access.

Ready to boost your policy visibility? Head to hoop.dev and see how fast and hassle-free it can be to verify and manage your Kubernetes Network Policies. Secure your clusters today.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts