21 June 2023
allows flow control to and from pods.
isolates pods from traffic they do not require.
pods are non isolated and open to all communication by default. Any network policy that selects pod will cause it to be isolated and abide the network policy rules.
A networkPolicy can have ingress, egress or both.
ingress: incomming traffic to the pod.
egress: traffic leaving the pods.
Let’s you select and specify the pod from which the requests shall be allowed.
podselector.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
from selector: selects ingress traffic allowed to the pod. (Requests accepted/received by the pod.)
to selector: selects egress/outgoing traffic that will be allowed. (Requests sent from the pod.)
Let’s you select and specify the namespace from which the requests shall be allowed.
namespaceselector.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
project: myproject
ports:
- protocol: TCP
port: 6379
Let’s you select and specify the ip cidr range from which the requests shall be allowed to the pod.
ipblock.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
ports:
- protocol: TCP
port: 6379
you can also have exceptions as well like except:
specifies one or more ports that will allow traffic. Traffic allowed if it matches both the allowed port and from/to rules.
ports.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: networkpolicy
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Following is the complete example of how all the policies can be included in a single file :-
network-policy-role-db-pod.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
search_query: network policy
ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/