K8s Security Pro
#15 Network Security professional

Egress Allow Rules

A whitelist-only egress model with six policies: default deny, DNS resolution, HTTPS to approved CIDRs, database access, internal service access, and Kubernetes API access.

CIS Benchmark
5.3.2
MITRE ATT&CK
T1048T1071

Overview

This template implements a complete whitelist-only egress model with six layered NetworkPolicies. Pods can only reach explicitly approved destinations: DNS for name resolution, specific external HTTPS endpoints, internal databases, cross-namespace shared services, and the Kubernetes API (for controllers only).

Security threat addressed: By default, pods can connect to any IP address on the internet. A compromised pod can exfiltrate data, connect to C2 servers, download malware, or scan internal networks for lateral movement.

When to use: Apply to every production namespace. Start with the default-deny and DNS policies, then add allow rules as your application requires them.

Threat Model

  • C2 communication blocking: Without egress controls, compromised pods connect to attacker-controlled servers. Whitelist-only egress prevents this.
  • Data exfiltration prevention: Only approved external HTTPS endpoints are reachable, blocking data theft to arbitrary servers.
  • Database access control: Only backend pods with explicit labels can reach databases, preventing compromised frontend pods from accessing sensitive data.
  • Malware download prevention: Default deny egress blocks downloading additional tools or crypto miners.

MITRE ATT&CK:

  • T1048 — Exfiltration Over Alternative Protocol: Unrestricted egress allows data theft to external servers.
  • T1071 — Application Layer Protocol: Attackers use HTTPS to communicate with C2 servers. Egress restrictions limit this to approved endpoints.

Real-world scenario: An attacker exploits an RCE vulnerability and tries to download a reverse shell payload from their server. With egress deny-all plus approved HTTPS only, the download fails because the attacker’s server is not in the approved CIDR list.

YAML Source

# POLICY 1: Default deny ALL egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: production
  labels:
    app.kubernetes.io/name: k8s-security
    app.kubernetes.io/part-of: k8s-security-pro
    app.kubernetes.io/managed-by: k8s-security-pro
spec:
  podSelector: {}
  policyTypes:
    - Egress
---
# POLICY 2: Allow DNS resolution (REQUIRED)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns
  namespace: production
  labels:
    app.kubernetes.io/name: k8s-security
    app.kubernetes.io/part-of: k8s-security-pro
    app.kubernetes.io/managed-by: k8s-security-pro
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53
# ... truncated -- get HTTPS, database, internal service, and API server policies at k8s-security.pro/pricing

Get the complete template with HTTPS egress to approved CIDRs, database access (PostgreSQL/MySQL/Redis), cross-namespace shared services, and Kubernetes API access for controllers in the Professional tier.

Installation

kubectl:

kubectl apply -f 15_egress_allow_rules.yaml

Helm:

helm install k8s-security ./charts/k8s-security -f values-prod.yaml

Kustomize:

kubectl apply -k kustomize/overlays/prod

Verification

# List all egress policies
kubectl get networkpolicies -n production | grep -E "deny-egress|allow-dns|allow-https|allow-database"

# Test DNS resolution works
kubectl exec -n production <pod> -- nslookup google.com

# Test that arbitrary internet access is blocked
kubectl exec -n production <pod> -- wget -q -O- --timeout=2 http://attacker.example.com 2>&1
# Expected: timeout

# Test database access from backend pods
kubectl exec -n production <backend-pod> -- pg_isready -h postgresql -p 5432

CIS Benchmark References

  • 5.3.2 — Ensure that all Namespaces have NetworkPolicies defined. This template provides comprehensive egress control across six policies.

MITRE ATT&CK References

  • T1048 — Exfiltration Over Alternative Protocol: Default deny egress prevents data exfiltration to arbitrary external endpoints.
  • T1071 — Application Layer Protocol: HTTPS egress is restricted to approved CIDRs, preventing C2 communication to unknown servers.

Further Reading

Get Full Access to This Template

This template is included in the Professional tier and above.

View Pricing Plans
← All Templates Get All Templates →