❤

Network policies in kubernetes

k8s network policies

allows flow control to and from pods.

isolates pods from traffic they do not require.

pods are non isolated and open to all communication by default. Any network policy that selects pod will cause it to be isolated and abide the network policy rules.

A networkPolicy can have ingress, egress or both.

ingress: incomming traffic to the pod.

egress: traffic leaving the pods.

podSelector

Let’s you select and specify the pod from which the requests shall be allowed.

podselector.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: networkpolicy
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              role: frontend
      ports:
        - protocol: TCP
          port: 6379

from selector: selects ingress traffic allowed to the pod. (Requests accepted/received by the pod.)

to selector: selects egress/outgoing traffic that will be allowed. (Requests sent from the pod.)

namespaceSelector

Let’s you select and specify the namespace from which the requests shall be allowed.

namespaceselector.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: networkpolicy
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              project: myproject
      ports:
        - protocol: TCP
          port: 6379

ipBlock

Let’s you select and specify the ip cidr range from which the requests shall be allowed to the pod.

ipblock.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: networkpolicy
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - ipBlock:
            cidr: 172.17.0.0/16
            except:
              - 172.17.1.0/24
      ports:
        - protocol: TCP
          port: 637

you can also have exceptions as well like except:

ports:

specifies one or more ports that will allow traffic. Traffic allowed if it matches both the allowed port and from/to rules.

ports.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: networkpolicy
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - ipBlock:
            cidr: 172.17.0.0/16
            except:
              - 172.17.1.0/24
      ports:
        - protocol: TCP
          port: 6379
  egress:
    - to:
        - ipBlock:
            cidr: 10.0.0.0/24
      ports:
        - protocol: TCP
          port: 5978

Following is the complete example of how all the policies can be included in a single file :-

network-policy-role-db-pod.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - ipBlock:
            cidr: 172.17.0.0/16
            except:
              - 172.17.1.0/24
        - namespaceSelector:
            matchLabels:
              project: myproject
        - podSelector:
            matchLabels:
              role: frontend
      ports:
        - protocol: TCP
          port: 6379
  egress:
    - to:
        - ipBlock:
            cidr: 10.0.0.0/24
      ports:
        - protocol: TCP
          port: 5978

search_query: network policy

ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/