How do you restrict database access in Kubernetes?

[yorinasub17]

I want to know what mechanisms there are to restrict access to a Database from a Kubernetes Pod.

[yorinasub17]

There are several ways to do this:

• If the database credentials are stored in AWS Secrets Manager, you can restrict which secrets the Pod has access to at the IAM role layer. That is, you setup an IAM policy to only allow the pod to access the secrets it needs and attach it to the IAM role corresponding to the service account.

• If the database credentials are stored in Kubernetes Secrets, then you can manage the RBAC permissions on the service account attached to the Pod to restrict which secrets it has access to mount in.

• We also support the following ways to restrict network access to the data store:

  • If you are using Fargate, you can control which subnets the pods will source it’s IP from on the Fargate Profile. You can take advantage of this to dedicate a special subnet block to Pods in specific namespaces and set up the Database security group to only allow access from that subnet CIDR.

  • If you are using self managed ASGs or managed node groups, you can do something similar to Fargate by setting up ASG node pools for each use case, and restrict the subnets that are used for pods deployed on those nodes.

• There are also a few other mechanisms to restrict network access (note that Gruntwork does not yet have modules for configuring these mechanisms):

  • You can assign custom security groups to your pods and restrict the network policy for a group of Pods that way.
  • You can setup Calico and Network Policies to setup network firewalls within Kubernetes.
  • You can setup a service mesh solution like istio, and restrict network traffic that way.