Network Policy Kubernetes
Network policies in Kubernetes allow you to control the network traffic to and from your pods, giving you fine-grained control over your network security. This can be especially useful in a multi-tenant environment, where you need to ensure that different teams or applications have isolated and secure networks.
Here’s a step-by-step tutorial on how to create a network policy in Kubernetes:
Verify that your cluster has a network policy provider: Before you can create network policies, you need to make sure that your cluster has a network policy provider. You can check this by running the following command:
$ kubectl describe pod -n kube-system | grep -E "^Name|^Network Policy"
The output should show the name of the network policy provider, such as “calico”.
Define the network policy: Network policies are defined as Kubernetes objects, so you’ll need to create a YAML file that defines the policy. Here’s an example of a policy that only allows incoming traffic from pods within the same namespace:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: only-internal-traffic
namespace: my-namespace
spec:
podSelector:
matchLabels:
app: my-app
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: my-app
In this example, the policy only allows incoming traffic to pods with the label “app: my-app” in the “my-namespace” namespace.
Apply the network policy:
To apply the network policy, you can use the kubectl apply command:
$ kubectl apply -f <policy-file>.yaml
Replace
Verify the network policy:
You can verify that the network policy is working as expected by trying to access one of the pods from another pod in a different namespace. If the policy is correctly applied, the access should be blocked.
This is a simple example of how to create a network policy in Kubernetes. You can create more complex policies by using the different fields in the network policy specification, such as egress for outgoing traffic, from for incoming traffic sources, and ports for specific port numbers. You can also use tools like Calico or Istio to provide more advanced network policy features.
Here’s a walkthrough on how to create two pods with the label app=beta and a network policy that blocks access from apps that don’t have the same label:
First create the two pods:
Use the following YAML file to create two pods with the label app=beta:
apiVersion: v1
kind: Pod
metadata:
name: beta-pod-1
labels:
app: beta
spec:
containers:
- name: beta-container-1
image: nginx
---
apiVersion: v1
kind: Pod
metadata:
name: beta-pod-2
labels:
app: beta
spec:
containers:
- name: beta-container-2
image: nginx
Save this YAML file as beta-pods.yaml and run the following command to create the two pods:
$ kubectl apply -f beta-pods.yaml
Create the network policy:
Use the following YAML file to create a network policy that blocks access from any pods that don’t have the label app=beta:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: block-non-beta-traffic
spec:
podSelector:
matchLabels:
app: beta
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: beta
Save this YAML file as block-non-beta-traffic.yaml and run the following command to create the network policy:
$ kubectl apply -f block-non-beta-traffic.yaml
Verify the network policy:
You can verify that the network policy is working as expected by trying to access one of the beta-pod pods from another pod with a different label. If the policy is correctly applied, the access should be blocked. This is an example of how to create a network policy in Kubernetes that blocks access from pods with a different label. You can modify this example to suit your specific requirements, for example by using different labels, namespaces, or traffic sources.