Creating a Kubernetes Network Policy
The data needed to specify the network policy for a particular namespace is contained in the NetworkPolicy specification. To choose which pod group the policy covers, the policy has the podSelector element; for example, the example below pertains to pods that have the db role. By default, the selector will select each pod in the namespace if it is empty.
The mandatory fields for a NetworkPolicy, like other Kubernetes configurations, include:
- apiVersion
- kind
- metadata
Additionally, each NetworkPolicy has a policyTypes field that indicates whether it covers egress or ingress (or both). Since egress rules will automatically apply to egress traffic, the policy will apply to ingress traffic to the selected pods if this field is left blank. The default setting is Ingress.
- Ingress rules: These specify the types of ingress traffic that the Kubernetes NetworkPolicy permits. Rules are applicable to traffic from elements matching the designated ports.
- Egress rules: These define the permitted traffic in terms of ports and to elements.
Let’s look at a sample NetworkPolicy resource and then understand all the fields in a bit more detail.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: example-policy
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 128.12.0.0/24
except:
- 128.12.46.0/16
- namespaceSelector:
matchLabels:
project: exampleproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/8
ports:
- protocol: TCP
port: 5978
You must run the following command in order to implement the above policy:
kubectl apply -f network.yaml
Where network.yaml contains the above YAML code. The output looks like this:
It is specified by this NetworkPolicy that pods that have the db role should be isolated. It defines ingress rules that permit traffic to all pods with the label “db” through port 6379 (as per the TCP protocol). Traffic from the following sources is included in this:
- Pods with frontend role.
- Pods with project label exampleproject.
- IP addresses within the specified ranges: from 128.12.0.0 to 128.12.255.255 except for the range between 128.12.46.0 to 128.12.46.255.
Additionally, the sample NetworkPolicy has egress rules that permit traffic to ports 5978 and addresses in the CIDR range 10.0.0.0/8 from any pod in the default namespace named db.
kubernetes Network Policlies
Everyone agrees that Kubernetes clusters are insecure by default. But the good news is that Kubernetes provides the tools to make that happen. In this article, we’re going to learn about one of the resources that K8s provides straight out of the box to help make your deployed apps more secure: Network policies.
A Kubernetes network policy specifies how pods can communicate with one another and other network endpoints in a Kubernetes cluster. Network policies provide fine-grained control over network traffic, allowing you to partition your network and secure your applications. They allow you to set incoming and outgoing traffic rules for pods and are implemented in the Kubernetes cluster using a CNI plugin like Calico or Weave Net.