6
CKAD Prep Part 16 – Network Policies
source link: https://www.briansdevblog.com/2021/06/ckad-prep-part-16-network-policies/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Network Policies
By default, a Pod
can communicate with any other Pod
in the same cluster.
NetworkPolicies
NetworkPolicies
allow you to limit the network traffic allowed to and from Pods
in the cluster. A sample NetworkPolicy
NetworkPolicy
is shown below.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: sample-network-policy
spec:
podSelector:
matchLabels:
app: secure-app
policyTypes:
- Ingress
- Egress
ingress: # traffic coming into the Pod
- from:
- podSelector:
matchLabels:
allow-access: "true" # allow inbound traffic from Pods that have this label
ports:
- protocol: TCP
port: 6379
egress: # traffic coming into the Pod
- podSelector:
matchLabels:
allow-access: "true" # allow outbound traffic to Pods that have this label
ports:
- protocol: TCP
port: 6379
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: sample-network-policy spec: podSelector: matchLabels: app: secure-app policyTypes: - Ingress - Egress ingress: # traffic coming into the Pod - from: - podSelector: matchLabels: allow-access: "true" # allow inbound traffic from Pods that have this label ports: - protocol: TCP port: 6379 egress: # traffic coming into the Pod - to: - podSelector: matchLabels: allow-access: "true" # allow outbound traffic to Pods that have this label ports: - protocol: TCP port: 6379
- spec.podSelector.matchLabels
spec.podSelector.matchLabels
– assigns thisNetworkPolicyNetworkPolicy
toPods
with the labelapp: secureapp: secure
. - policyTypes
policyTypes
– indicate the type of traffic thisNetworkPolicyNetworkPolicy
applies to. EitherIngressIngress
(inbound),EgressEgress
(outbound) or both. - ingress.from.podSelector.matchLabels
ingress.from.podSelector.matchLabels
– defines rules for incoming traffic.allow-access: "true"allow-access: "true"
means that inbound traffic will only be permitted forPods
with the labelallow-access; "true"allow-access; "true"
- ports.protocol
ports.protocol
andports.portports.port
specify the protocol and port permitted for incoming traffic. - ingress.to.podSelector.matchLabels
ingress.to.podSelector.matchLabels
– defines rules for outbound traffic.allow-access: "true"allow-access: "true"
means that outbound traffic will only be permitted toPods
with the labelallow-access; "true"allow-access; "true"
- ports.protocol
ports.protocol
andports.portports.port
specify the protocol and port permitted for outbound traffic.
To create the above
NetworkPolicy
NetworkPolicy
run Kubectl apply -f sample-network-policy.yaml
Kubectl apply -f sample-network-policy.yaml
. You can view the NetworkPolicy
NetworkPolicy
by running kubectl get networkpolicies
kubectl get networkpolicies
.
If you want to see the specification for an existing
NetworkPolicy
NetworkPolicy
use the describe
describe
command.
To test the
NetworkPolicy
NetworkPolicy
we’ll create two Pods
.
- a
Pod
that is secured by theNetworkPolicyNetworkPolicy
callednetwork-policy-secure-podnetwork-policy-secure-pod
- a
Pod
that that will attempt to callnetwork-policy-secure-podnetwork-policy-secure-pod
, callednetwork-policy-client-podnetwork-policy-client-pod
network-policy-secure-pod
network-policy-secure-pod
is defined as follows.
apiVersion: v1
kind: Pod
metadata:
name: network-policy-secure-pod
labels:
app: secure-app
spec:
containers:
- name: network-policy-secure-container
image: nginx
ports:
- containerPort: 80
apiVersion: v1 kind: Pod metadata: name: network-policy-secure-pod labels: app: secure-app spec: containers: - name: network-policy-secure-container image: nginx ports: - containerPort: 80
Note that
metadata.labels
metadata.labels
app: secure-app
app: secure-app
matches the podSelector.matchLabels
podSelector.matchLabels
value specified in the NetworkPolicy
NetworkPolicy
earlier. This means that the NetworkPolicy
NetworkPolicy
will secure traffic to and from this Pod
.
network-policy-client-pod
network-policy-client-pod
is defined as follows.
apiVersion: v1
kind: Pod
metadata:
name: network-policy-client-pod
spec:
containers:
- name: busybox
image: radial/busyboxplus:curl
command: ['sh', '-c', 'while true; do sleep 3600; done']
apiVersion: v1 kind: Pod metadata: name: network-policy-client-pod spec: containers: - name: busybox image: radial/busyboxplus:curl command: ['sh', '-c', 'while true; do sleep 3600; done']
We can use this Pod
to run a cURL
command to attempt to access
network-policy-secure-pod
network-policy-secure-pod
.
Access to
network-policy-secure-pod
network-policy-secure-pod
is not permitted from network-policy-client-pod
network-policy-client-pod
because network-policy-secure-pod
network-policy-secure-pod
is secured by the NetworkPolicy
NetworkPolicy
. For network-policy-client-pod
network-policy-client-pod
to have access it would have to specify the app:secure-app
app:secure-app
selector so that it satisfies the Ingres rule specified in the NetwrokPolicy
NetwrokPolicy
.
The sample code for these notes is available on Github.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK