Kubernetes: Network Policies
NetworkPolicy is a Kubernetes object that enables the creation of policies to restrict the communication between pods and external entities in a namespace, using various factors like IP addresses, ports, protocols, and labels. The
ingresssection defines incoming traffic rules while theegresssection defines outgoing traffic rules. NetworkPolicy usespodSelectorto select pods based on their labels,namespaceSelectorto select pods in particular namespaces, andipBlockto specify IP address blocks allowed or denied access to pods.
Table of Contents
· Ingress and Egress Traffic
· Network Policies
· Short Name: netpol
· NetworkPolicy with YAML
∘ podSelector
∘ namespaceSelector
∘ ipBlock
Ingress and Egress Traffic
Ingress traffic refers to the incoming network traffic that is directed to a pod or a group of pods in the Kubernetes cluster. For example, if a user outside the cluster sends a request to a pod within the cluster, the traffic would be considered ingress traffic to that pod.
Egress traffic, on the other hand, refers to the outgoing network traffic from a pod or a group of pods in the Kubernetes cluster. For example, if a pod in the cluster sends a request to a service or an external endpoint outside the cluster, the traffic would be considered egress traffic from that pod.
Network Policies
By default, Kubernetes clusters allow unrestricted communication between pods and external access, which can pose security risks, especially in multi-tenant environments where multiple applications and teams coexist.
NetworkPolicy is a Kubernetes object that allows you to create policies that define how pods can communicate with each other and with external entities within a specific namespace. NetworkPolicy rules can be based on various factors such as IP addresses, ports, protocols, and labels, enabling you to restrict traffic to specific pods or groups of pods based on your security requirements.
Short Name: netpol
$ kubectl api-resources
NAME SHORTNAMES APIVERSION NAMESPACED KIND
networkpolicies netpol networking.k8s.io/v1 true NetworkPolicyNetworkPolicy with YAML
podSelector
The podSelector field selects pods based on their labels and determines which pods the policy applies to.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-network-policy
spec:
podSelector:
matchLabels:
name: backend
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
name: frontend
ports:
- port: 8080
protocol: TCP
egress:
- to:
- podSelector:
matchLabels:
name: database
ports:
- port: 5432
protocol: TCPIn this case, this NetworkPolicy targets pods labeled with name: backend. The ingress section defines incoming traffic rules from name: frontend pods on port 8080. The egress section defines outgoing traffic rules to name: database pods on port 5432.
namespaceSelector
namespaceSelector is a field that allows you to select particular namespaces and apply network policy rules to all the pods within those namespaces.
...
ingress:
- from:
- namespaceSelector:
matchLabels:
name: namespace1
ports:
- port: 8080
protocol: TCP
...In this case, it allows traffic from the pods in namespace1.
ipBlock
ipBlock is a field used to specify IP address blocks that are allowed to access or denied access to the pod. It can be used to define a CIDR block or a single IP address.
...
ingress:
- from:
- ipBlock:
cidr: 192.168.0.0/16
ports:
- port: 8080
protocol: TCP
...In this example, the ipBlock field is used to specify the CIDR block 192.168.0.0/16. The ingress section allows incoming traffic to the pod on port 8080 using the TCP protocol only if the source IP address is within this CIDR block.
These are my personal notes for CKA exam preparation on Kubernetes. Please feel free to correct me if you notice any errors. 😊
Reference:
