305-998-7702 | 415-800-2922 info@rx-m.com

Using Network Policies

Learn how to put the latest open source technology into practice with hands-on training, delivered by industry experts, aligned to your desired business outcomes

Network Policies are crucial to controlling pod-to-pod access in a cluster. Network policies enable cluster users
to enforce:

  • Pod to Pod communication within and between namespaces in the cluster (can by done by port or by label)
  • Pod to other destinations, like certain CIDR blocks (0.0.0.0, 172.168.0.0/16, 10.255.255.255/32)

When a network policy is put into place in a namespace, by default all incoming traffic to pods within that namespace (AKA ingress) is blocked while all outgoing traffic (called Egress) remains unblocked. Additional rules to block egress or allow ingress to certain pods must be present:

The following Network Policy selects all pods in the meta namespace and explicitly prevents all Ingress traffic into those pods:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: meta
spec:
  podSelector: {}
  policyTypes:
  - Ingress

If you add - Egress to the policyTypes section of the network policy, the network policy will prevent all outgoing traffic from all affected pods in the meta namespace.

To allow incoming traffic to pods in the affected namespace, you must add the ingress key into the network policy’s spec. Under that key, you can define one or more rules that define what pods, namespaces, or IP Ranges (CIDRs).

The following Network Policy spec allows Ingress traffic from all pods within the 10.0.0.0/8 CIDR block (covering IP addresses ranging from 10.0.0.0 to 10.255.255.255) that are labeled with the key-value pair network=approved:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 10.0.0.0/8
      podSelector:
        matchLabels:
          network: approved

Network policies are an essential way to control network access between pods in your cluster. You can learn more about Kubernetes network policies and how to use them.