Skip to main content

Kubernetes Network Security plugin for the floe data platform

Project description

floe-network-security-k8s

Kubernetes Network Security plugin for the floe data platform.

Overview

This plugin implements the NetworkSecurityPlugin interface from floe-core, providing Kubernetes-native NetworkPolicy and Pod Security manifest generation for:

  • Default-deny NetworkPolicies for job and platform namespaces
  • Egress allowlists for DNS, catalog, telemetry, and storage services
  • Ingress rules for ingress controller and intra-namespace communication
  • Pod Security Standards namespace labels (restricted/baseline)
  • Hardened container securityContext configurations

Installation

pip install floe-network-security-k8s

Usage

from floe_network_security_k8s import K8sNetworkSecurityPlugin
from floe_core.network import NetworkPolicyConfig

plugin = K8sNetworkSecurityPlugin()

# Generate default-deny policies for a namespace
policies = plugin.generate_default_deny_policies("floe-jobs")

# Generate DNS egress rule (always required)
dns_rule = plugin.generate_dns_egress_rule()

Entry Point

This plugin registers under the floe.network_security entry point group:

[project.entry-points."floe.network_security"]
k8s = "floe_network_security_k8s:K8sNetworkSecurityPlugin"

Requirements

  • Python 3.10+
  • Kubernetes 1.25+ (for Pod Security Admission controller)
  • CNI with NetworkPolicy support (Calico, Cilium, or cloud-native CNI)
  • floe-core 0.1.0+

Features

NetworkPolicy Generation

  • Default-deny ingress and egress policies
  • DNS egress always allowed (UDP 53 to kube-system)
  • Platform service egress (Polaris, OTel Collector, MinIO)
  • External HTTPS egress (configurable)
  • Custom egress rules via manifest.yaml

Pod Security Standards

  • Namespace labels for PSS enforcement
  • Restricted level for job pods
  • Baseline level for platform services
  • Audit and warn labels for visibility

Container Hardening

  • runAsNonRoot: true
  • readOnlyRootFilesystem: true
  • allowPrivilegeEscalation: false
  • capabilities.drop: ["ALL"]
  • seccompProfile: RuntimeDefault

License

Apache-2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

floe_network_security_k8s-0.1.0a1.tar.gz (38.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

floe_network_security_k8s-0.1.0a1-py3-none-any.whl (10.3 kB view details)

Uploaded Python 3

File details

Details for the file floe_network_security_k8s-0.1.0a1.tar.gz.

File metadata

File hashes

Hashes for floe_network_security_k8s-0.1.0a1.tar.gz
Algorithm Hash digest
SHA256 e2af99c805c7539444ffda766facd52961ca3ff5a52d72973009bb3a746469f0
MD5 b3e47e86262abb9bc83b88f848224de3
BLAKE2b-256 13c3cb982ad245038fbaeeb4e89075d1e9a340fe72ed41d39d5d01a796d52e86

See more details on using hashes here.

File details

Details for the file floe_network_security_k8s-0.1.0a1-py3-none-any.whl.

File metadata

File hashes

Hashes for floe_network_security_k8s-0.1.0a1-py3-none-any.whl
Algorithm Hash digest
SHA256 1554935b194cf7e42632661871ba4588602a7397cdcbaa90d366f3909020a89f
MD5 e1e297208a1bd03a8ebc605e4ce872bd
BLAKE2b-256 317d860f7d2276210e749cc53787065bbea8e50528ca421cea49729a38cb0514

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page