Platform application access controls
In this article you will learn some best practices to secure platform tier applications.
Isolate platform applications
You may have several types of platform applications in your environment:
- Storage platform
- Secret management
- Container security
- Platform monitoring
- Application performance monitoring
We recommend that you implement all your platform applications controls in a platform tier, implicitly allowing granular ingress and egress controls for platform applications pods and denying everything else. This effectively isolates platform applications from business applications, and extends the multi-tenancy and application microsegmentation controls to platform applications.
Order 200 implies that the platform tier comes before the security tier and that its policies are processed first. Some organizations require that security team controls take precedence over other controls. In that case, the security tier policies need to pass controls to the platform tier for granular control.
Map your application access controls to policy
Next, we recommend that you refer to your platform application documentation and get the communication map of application pods, and reflect the controls in your network policy.
Create a global network policy
Here is our global network policy that allows application (
platform-app1) and service (
platf-app1-svc2), ingress access to service (
svc = platf-app1-svc1) from port 12345.
selector: (app == "platform-app1" && svc == "platf-app1-svc2")
- action: Allow
selector: svc == "platf-app1-svc1"