Understanding Kubernetes Network Policy Selectors
There are four kinds of selectors that can be specified in an ingress section or egress section. We’ll discuss them in this section:
PodSelector
This allows you to choose which specific pods in the same namespace as the NetworkPolicy should be permitted to enter as egress or ingress points.
NamespaceSelector
This picks specific namespaces that all Pods are permitted to use as egress or ingress points.
Combining Selectors
A single to/from entry that specifies both ‘namespaceSelector’ and ‘podSelector’ selects particular Pods within particular namespaces. Be careful to use correct YAML syntax. For example:
A single from element in this policy permits connections from Pods in namespaces labeled user=client with the label role=server. However, the subsequent policy is distinct:
It accepts connections from any Pod in any namespace with the label user=client, or from any Pod in the local namespace with the label role=server. It has two elements in the from array.
IpBlock
To permit communication to or from particular IP address CIDR ranges, ipBlock selectors are employed. These should be cluster-external IPs, since Pod IPs are ephemeral and unpredictable.
Rewriting the packet’s source or destination IP is frequently necessary for cluster ingress and egress procedures. When this occurs, it’s unclear if it occurs before to or following NetworkPolicy processing, and the behavior can vary depending on the network plugin, cloud provider, service implementation, and other factors that are combined.
kubernetes Network Policlies
Everyone agrees that Kubernetes clusters are insecure by default. But the good news is that Kubernetes provides the tools to make that happen. In this article, we’re going to learn about one of the resources that K8s provides straight out of the box to help make your deployed apps more secure: Network policies.
A Kubernetes network policy specifies how pods can communicate with one another and other network endpoints in a Kubernetes cluster. Network policies provide fine-grained control over network traffic, allowing you to partition your network and secure your applications. They allow you to set incoming and outgoing traffic rules for pods and are implemented in the Kubernetes cluster using a CNI plugin like Calico or Weave Net.