Network Policies

By default, a Pod can communicate with any other Pod in the same cluster. NetworkPolicies allow you to limit the network traffic allowed to and from Pods in the cluster. A sample NetworkPolicy is shown below.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: sample-network-policy
spec:
  podSelector:
    matchLabels:
      app: secure-app
  policyTypes:
  - Ingress
  - Egress
  ingress: # traffic coming into the Pod
    - from:
        - podSelector:
            matchLabels:
              allow-access: "true" # allow inbound traffic from Pods that have this label
      ports:
        - protocol: TCP
          port: 6379
  egress: # traffic coming into the Pod
    - to:
        - podSelector:
            matchLabels:
              allow-access: "true" # allow outbound traffic to Pods that have this label
      ports:
        - protocol: TCP
          port: 6379
  • spec.podSelector.matchLabels – assigns this NetworkPolicy to Pods with the label app: secure.
  • policyTypes – indicate the type of traffic this NetworkPolicy applies to. Either Ingress (inbound), Egress (outbound) or both.
  • ingress.from.podSelector.matchLabels – defines rules for incoming traffic. allow-access: "true" means that inbound traffic will only be permitted for Pods with the label allow-access; "true"
  • ports.protocol and ports.port specify the protocol and port permitted for incoming traffic.
  • ingress.to.podSelector.matchLabels – defines rules for outbound traffic. allow-access: "true" means that outbound traffic will only be permitted to Pods with the label allow-access; "true"
  • ports.protocol and ports.port specify the protocol and port permitted for outbound traffic.

To create the above NetworkPolicy run Kubectl apply -f sample-network-policy.yaml. You can view the NetworkPolicy by running kubectl get networkpolicies.

If you want to see the specification for an existing NetworkPolicy use the describe command.

To test the NetworkPolicy we’ll create two Pods .

  • a Pod that is secured by the NetworkPolicy called network-policy-secure-pod
  • a Pod that that will attempt to call network-policy-secure-pod, called network-policy-client-pod

network-policy-secure-pod is defined as follows.

apiVersion: v1
kind: Pod
metadata:
  name: network-policy-secure-pod
  labels:
    app: secure-app
spec:
  containers:
    - name: network-policy-secure-container
      image: nginx
      ports:
       - containerPort: 80

Note that metadata.labels app: secure-app matches the podSelector.matchLabels value specified in the NetworkPolicy earlier. This means that the NetworkPolicy will secure traffic to and from this Pod.

network-policy-client-pod is defined as follows.

apiVersion: v1
kind: Pod
metadata:
  name: network-policy-client-pod
spec:
  containers:
    - name: busybox
      image: radial/busyboxplus:curl
      command: ['sh', '-c', 'while true; do sleep 3600; done']

We can use this Pod to run a cURL command to attempt to access network-policy-secure-pod.

Access to network-policy-secure-pod is not permitted from network-policy-client-pod because network-policy-secure-pod is secured by the NetworkPolicy. For network-policy-client-pod to have access it would have to specify the app:secure-app selector so that it satisfies the Ingres rule specified in the NetwrokPolicy.

The sample code for these notes is available on Github.