💙 ABS is one of the five Certified Kubernetes Service Providers in India 💙

Like how we are restricting access using firewall, in kubernetes cluster you can restrict access of pod using network policy. Network policy is used to restrict the access of pod to pod communication in cluster. As a prerequisite you have to install any available network plugin such as calico, flannel, etc. Network plugin implements network policies. To use network policies you must use networking solutions.

Here the pod can communicate with other pod using IP addresses. Each pod is assigned with IP address.

To explain about network policy here we are taking two namespaces such as dev, prod. Each namespace consists of two pods.

Now we will see how the pod is getting communicated within namespace and form other namespace.

Here the pod can communicate with each other in same namespace. Now we will see whether the pod can communicate from other namespace as well.

Clearly, we can see that pod from prod namespace can communicate with pod from dev namespace.

The Network Policy Resources

				
					apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:   # The network policy applies to the pod with label role=db.An empty pod 
    matchLabels: #selector selects all the pods in the namespace.
      role: db
  policyTypes: #Policy type could be ingress or egress
    - Ingress
    - Egress
  ingress: # Ingress policy type specifies that incoming traffic to the pod.
    - from:
        - ipBlock: # It allows incoming traffic from pod with the following IP
            cidr: 172.17.0.0/16
            except:
              - 172.17.1.0/24
        - namespaceSelector: # allows incoming traffic from pod with the following namespace
            matchLabels:
              project: myproject
        - podSelector: # allows traffic from this particular pod.
            matchLabels:
              role: frontend
      ports: # allows a particular protocol and port.
        - protocol: TCP
          port: 6379
  egress: # Egress specifies outgoing traffic. 
    - to: # allows outgoing traffic from the pod where we apply network policy to this pod with the 
        - ipBlock: #follwoing IP address
            cidr: 10.0.0.0/24
      ports: # allows a particular protocol and port.
        - protocol: TCP
          port: 5978

				
			

1.Namespace selector and Pod selector

If we want to allow a traffic to/from a particular pod from particular namespace then we can define network policy as follows.

				
					  ingress:
  - from:
    - namespaceSelector:      #
        matchLabels:          #
          tier: database      #  Allows after matching                           
      podSelector:            #  namespaceSelector AND podSelector
        matchLabels:          #
          role: db            #

				
			

2.Namespace selector or Pod Selector

If we want to allow a traffic from a particular namespace or from a particular pod then we can apply the network policy rules as follows

				
					  ingress:
  - from:
    - namespaceSelector:      #
        matchLabels:          #
          tier: database      #  Allows after matching                           
    - podSelector:            #  namespaceSelector OR podSelector
        matchLabels:          #
          role: db            #

				
			

1.Default deny all Ingress Traffic

It denies all the incoming traffic to that particular pod from the defined namespace. Let’s see how it denies all the incoming traffic to that particular pod.

Here we are trying to connect prodserver-2 in prod namespace from prodserver-1. The pod is getting connected. Now we will apply the default deny all ingress network policy and test the applied rules. Apply the network policy rules as follows

				
					apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: prod
spec:
  podSelector: {}
  policyTypes:
  - Ingress

				
			

Here we are applying default deny all ingress traffic in the prod namespace. An incoming traffic to the pod in the prod namespace will get restricted. Let’s see it.

Here we are trying to connect a pod podserver-2 from prodserver-1.From this picture we can clearly seen that prodserver-2 is not getting connected at all.

Here we are trying to connect prodserver-2 from devserver-1. prodserver-2 is not receiving any incoming traffic. So the applied network policy is clearly working.

2.Default Deny all egress traffic

If you want to restrict an outgoing traffic from all the pod in a defined namespace you can apply default deny all egress traffic.

				
					apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: prod
spec:
  podSelector: {}
  policyTypes:
  - Egress

				
			

Here default deny all egress traffic in prod namespace. So we are testing it from that namespace.

Logging into prodserver-1 and try to send traffic to all other pods within namespace and also pods in different namespace. From this picture we could understand that prodserver-1 couldn’t send traffic to any other pods.

3.Allow all ingress traffic

If you want to allow all incoming connections to all pods in a namespace, you can apply allow all ingress traffic network policy.

				
					apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all-ingress
  namespace: prod
spec:
  podSelector: {}
  ingress:
  - {}
  policyTypes:
  - Ingress

				
			

Logging into devserver-1 and try to send an traffic to prodserver-1. It is allowing traffic.

4.Allow all egress traffic

If you want to allow all outgoing connections from pods in that namespace then you can apply allow all egress traffic network policy.

				
					apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all-egress
  namespace: prod
spec:
  podSelector: {}
  egress:
  - {}
  policyTypes:
  - Egress

				
			

Here from prodserver-1 we are sending an outgoing traffic to devserver-2 .The outgoing connection is allowed.

5.Default deny all ingress and all egress traffic

If you want to apply a policy that won’t allow any incoming traffic and outgoing traffic in a defined namespace then you can apply this policy as follows.

				
					apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: prod 
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

				
			

From this picture we can clearly seen that incoming traffic and outgoing traffic from all pods in that prod namespace is restricted.