Voiced by Amazon Polly |
Introduction
Network Policies is a Kubernetes resource that controls the traffic between pods. Network policy lets you secure access to and from their applications. The primary goal of network policies is to enhance the security and segmentation of your Kubernetes cluster. By default, pods in a Kubernetes cluster can communicate with each other freely, regardless of their location or purpose. However, you may want to restrict this communication to specific pods or namespaces in many scenarios.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
What is Network Policy?
Network policy is Kubernetes resource which controls traffic between pods. They allow you to define rules that determine which pods can communicate with each other and what types of communication are permitted. To route the traffic, it uses labels to select the pod and direct the traffic toward those pods.
Network policies are applied to CNI plugins, and there are some popular CNI plugins like Calico, weavenet.
Image Source: k21academy
How does Network Policy Work?
There can be numerous situations when you permit or deny traffic from any specific or different sources.
Rules:
- Traffic is allowed if no policy is applied.
- Communication is denied if the policy is applied.
- Traffic is allowed if there is one policy that allows it.
Network Policy Specification
- PodSelector: This selects the particular pod in the specified namespace for ingress or egress of traffic.
- Policy Types: This includes ingress or egress arguments that need to mention.
- Ingress: This includes the inbound traffic.
- Egress: This includes the outbound traffic.
Default Network Policies
- Deny all ingress Traffic: This will deny all incoming traffic.
1 2 3 4 5 6 7 8 |
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress spec: podSelector: {} policyTypes: - Ingress |
2. Allow all ingress Traffic: This will all incoming traffic.
1 2 3 4 5 6 7 8 9 10 |
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-ingress spec: podSelector: {} ingress: - {} policyTypes: - Ingress |
- Deny all Egress Traffic: This will deny all outbound traffic.
1 2 3 4 5 6 7 8 |
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress spec: podSelector: {} policyTypes: - Egress |
4. Allow all Egress Traffic: This will all outbound traffic.
1 2 3 4 5 6 7 8 9 10 |
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-ingress spec: podSelector: {} ingress: - {} policyTypes: - Egress |
Custom Network policies
We have three namespaces named ns1, ns2, ns3, and pods under each namespace. We want only pods under ns1 to allow traffic only from pods under ns3 on port 80.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: ns1 spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: ns3 ports: - protocol: TCP port: 80 |
Conclusion
Kubernetes network policies offer a powerful means to enforce network-level security & control within a Kubernetes cluster. By defining and applying these policies, you can enhance the isolation of your applications, restrict communication to specific pods, and mitigate potential security risks within the cluster.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.
Drop a query if you have any questions regarding Kubernetes and I will get back to you quickly.
To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.
FAQs
1. How is network policy enforced?
ANS: – Network policies are enforced by the Network CNI plugin. CNI is installed in Kubernetes clusters like Calico or weavenet.
2. What is the purpose of network policy?
ANS: – Policy determine which Pods and Services can access one another inside your cluster. Defining network policy helps you enable things like defense in depth when your cluster is serving a multi-level application.
3. Are network policies namespace-specific in Kubernetes?
ANS: – Network policies in Kubernetes are namespace-specific by default. When you create a network policy, it is associated with a specific namespace. The policy only affects the pods within that namespace. This allows you to define different network policies for different namespaces, providing isolation and granular control over network traffic between pods in different namespaces.
WRITTEN BY Shubh Dadhich
Click to Comment