Network Policies

By default, a Pod can communicate with any other Pod in the same cluster.

NetworkPolicies allow you to limit the network traffic allowed to and from Pods in the cluster. A sample NetworkPolicy is shown below.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: sample-network-policy
spec:
  podSelector:
    matchLabels:
      app: secure-app
  policyTypes:
  - Ingress
  - Egress
  ingress: # traffic coming into the Pod
    - from:
        - podSelector:
            matchLabels:
              allow-access: "true" # allow inbound traffic from Pods that have this label
      ports:
        - protocol: TCP
          port: 6379
  egress: # traffic coming into the Pod
    - to:
        - podSelector:
            matchLabels:
              allow-access: "true" # allow outbound traffic to Pods that have this label
      ports:
        - protocol: TCP
          port: 6379

• spec.podSelector.matchLabels
  spec.podSelector.matchLabels – assigns this
  NetworkPolicy
  NetworkPolicy to Pods with the label
  app: secure
  app: secure.
• policyTypes
  policyTypes – indicate the type of traffic this
  NetworkPolicy
  NetworkPolicy applies to. Either
  Ingress
  Ingress (inbound),
  Egress
  Egress (outbound) or both.
• ingress.from.podSelector.matchLabels
  ingress.from.podSelector.matchLabels – defines rules for incoming traffic.
  allow-access: "true"
  allow-access: "true" means that inbound traffic will only be permitted for Pods with the label
  allow-access; "true"
  allow-access; "true"
• ports.protocol
  ports.protocol and
  ports.port
  ports.port specify the protocol and port permitted for incoming traffic.
• ingress.to.podSelector.matchLabels
  ingress.to.podSelector.matchLabels – defines rules for outbound traffic.
  allow-access: "true"
  allow-access: "true" means that outbound traffic will only be permitted to Pods with the label
  allow-access; "true"
  allow-access; "true"
• ports.protocol
  ports.protocol and
  ports.port
  ports.port specify the protocol and port permitted for outbound traffic.

To create the above

NetworkPolicy run Kubectl apply -f sample-network-policy.yaml. You can view the NetworkPolicy by running kubectl get networkpolicies.

If you want to see the specification for an existing

NetworkPolicy use the describe command.

To test the

NetworkPolicy we’ll create two Pods .

• a Pod that is secured by the
  NetworkPolicy
  NetworkPolicy called
  network-policy-secure-pod
  network-policy-secure-pod
• a Pod that that will attempt to call
  network-policy-secure-pod
  network-policy-secure-pod, called
  network-policy-client-pod
  network-policy-client-pod

network-policy-secure-pod is defined as follows.

apiVersion: v1
kind: Pod
metadata:
  name: network-policy-secure-pod
  labels:
    app: secure-app
spec:
  containers:
    - name: network-policy-secure-container
      image: nginx
      ports:
       - containerPort: 80

Note that

metadata.labels app: secure-app matches the podSelector.matchLabels value specified in the NetworkPolicy earlier. This means that the NetworkPolicy will secure traffic to and from this Pod. network-policy-client-pod is defined as follows.

apiVersion: v1
kind: Pod
metadata:
  name: network-policy-client-pod
spec:
  containers:
    - name: busybox
      image: radial/busyboxplus:curl
      command: ['sh', '-c', 'while true; do sleep 3600; done']

We can use this Pod to run a cURL command to attempt to access

network-policy-secure-pod.

Access to

network-policy-secure-pod is not permitted from network-policy-client-pod because network-policy-secure-pod is secured by the NetworkPolicy. For network-policy-client-pod to have access it would have to specify the app:secure-app selector so that it satisfies the Ingres rule specified in the NetwrokPolicy.

The sample code for these notes is available on Github.