Skip to content

Networking

Specification

All external access to applications/services must be via the ingress/gateway. The TRE must use a network plugin/CNI that fully supports Network Policy enforcement. Outbound connectivity should be blocked by default, or restricted by IP and port to pre-approved, trusted destinations.

Last updated: 2025-05-30
Source: https://github.com/orgs/k8tre/discussions/4

Motivation

Robust network policy enforcement is required to isolate traffic, especially of sensitive data, but also of orchestration requests/responses that could be an attack vector - e.g. in runtime modification of access control lists.

Implementation Compliance

K8TRE Reference Implementation

K8TRE uses Cilium as the default Container Network Interface (CNI) to provide advanced network security through network policies. Cilium is installed before ArgoCD during cluster setup and includes Hubble for network observability.

TREu

The (Kubernetes-based) System plane uses the Cilium CNI and network policies to control east-west traffic within the EKS cluster, allowing access to only the services/CIDRs that are required. Project network isolation is enacted at the compute platform level, e.g. using security groups in AWS.

FRIDGE

FRIDGE makes extensive use of Cilium and standard Kubernetes network policies to ensure only the required network paths are open between components in the cluster. This also applies to ingress and egress traffic. Project isolation is not required in FRIDGE as a FRIDGE instance is currently dedicated to a project.

SATRE components realised by this statement

Component 2.1.9
SATRE requires TRE operators to mitigate and record any risks introduced by the use of software in the TRE that requires telemetry to function, such as licensed commercial software must contact an external licensing server. TRE operators may prohibit this entirely, or may allow it with appropriate risk mitigation and recording, but K8TRE components that facilitate the use of such software must support TRE operators in meeting this SATRE requirement.

FAQ

  • What capabilities must a CNI must provide the cluster to be K8TRE compliant?

A CNI must provide full support for standard K8S Network Policies. Note the default K8s CNI in some public cloud providers is not compliant.

  • Should applications/services outside the cluster also have access to the CIDR/VPC/VNET

No. A K8TRE's CIDR/VPC/VNET is solely for in-cluster use only so all external access is via the ingress/gateway.