kubernetes how to use network policy

In the kubernates environment to control Layer 3 or 4 traffic we can use network policy.

In this post I describe network policies with a simple examples

My lab setup

I have three nodes kubernetes cluster

There are a few pods running over there and pods have assigned label environments.I have three categories of pods are there.(dev, pods and web)

Im testing a few scenarios here

Scenario 01

Restrict both Ingress and egress traffic to\from web pods

This is the yaml file I used

—————————————

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

  name: block-all-to-web

spec:

  podSelector:

    matchLabels:

environment: web

  policyTypes:

    – Ingress

    – Egress

How to create a network policy

Save the yml file and apply it

How to view network policy

how we can test this policy?

I have logged in to ubuntudev2 and trying to curl or ping to web pods. But we can connect to other pods

To test the egress traffic from web pods, I logged in to one of the web pods and tried to run apt update. But I’m getting a connection error.Which means our policy is working.

Scenario 02

In this scenario I have restricted only incoming traffic

To test this, i’m deleting the existing the policies now.

This is the yaml file I used.

——————————-

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

  name: block-all-to-web

spec:

  podSelector:

    matchLabels:

      environment:  web

  policyTypes:

    – Ingress

After applying this policy , I was able to connect outside from web pods

Scenario 03

In this scenario I’m enabling incoming traffic to web pods only from dev pods

I used this yaml file to create the policy

———————————–

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

  name: block-all-to-web

spec:

  podSelector:

    matchLabels:

      environment:  web

  policyTypes:

    – Ingress

  ingress:

    – from:

       – podSelector:

           matchLabels:

             environment: dev

Scenario 04

In this scenario we are enabling traffic to web pods from two pod categories(web and dev)

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

  name: block-all-to-web

spec:

  podSelector:

    matchLabels:

      environment:  web

  policyTypes:

    – Ingress

  ingress:

    – from:

       – podSelector:

           matchLabels:

             environment: dev

       – podSelector:

           matchLabels:

             environment: web

Scenario 05

In this scenario I’m allowing traffic from dev and web  same as scenario 04 and allowing only port 80.

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

  name: block-all-to-web

spec:

  podSelector:

    matchLabels:

      environment:  web

  policyTypes:

    – Ingress

  ingress:

    – from:

       – podSelector:

           matchLabels:

             environment: dev

       – podSelector:

           matchLabels:

             environment: web

            ports:

             – protocol: TCP

         port: 80

To test this I have logged in to one of the dev pod and trying to ping to web nginx pod.

But I can’t ping , then I tried to curl and access the nginx site. I can reach web pod via port 80

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: