Introduction
By default, In k8s all pods can communicate to others across all namespaces and we can restrict or control that using network policy.
Network Policy (netpol) is a namespace-level component.
Network policy can be applied to pod or namespace level.
Lab (Pod Level)
- Verify communication between two pods
ubuntu@kubemaster:~$ kg svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
backend ClusterIP 10.100.2.3 <none> 80/TCP 16d
frontend ClusterIP 10.101.17.48 <none> 80/TCP 16d
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 23d
ubuntu@kubemaster:~$ kgp
NAME READY STATUS RESTARTS AGE
backend 1/1 Running 0 45s
frontend 1/1 Running 0 5m37s 45s
ubuntu@kubemaster:~$ k exec frontend -- curl backend
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 615 100 615 0 0 133k 0 --:--:-- --:--:-- --:--:-- 150k
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
ubuntu@kubemaster:~$
- Restrict communication using default deny policy
All pods within a namespace are not allowed to communicate with each other, and you must create specific Network Policies to enable communication between selected pods or namespaces.
ubuntu@kubemaster:~$ cat defaultdeny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ubuntu@kubemaster:~$ kg netpol
NAME POD-SELECTOR AGE
default-deny-ingress <none> 12s
ubuntu@kubemaster:~$ k exec frontend -- curl backend
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0^C
- Create netpol to establish communication from frontend to backend
ubuntu@kubemaster:~$ cat networkpolicy-allow-fe.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
run: frontend
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
run: backend
ubuntu@kubemaster:~$
ubuntu@kubemaster:~$ cat networkpolicy-allow-be.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy-be
namespace: default
spec:
podSelector:
matchLabels:
run: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
run: frontend
ubuntu@kubemaster:~$
ubuntu@kubemaster:~$ kg netpol
NAME POD-SELECTOR AGE
default-deny-ingress <none> 21m
test-network-policy run=frontend 12m
test-network-policy-be run=backend 6m58s
ubuntu@kubemaster:~$
ubuntu@kubemaster:~$ k exec frontend -- curl 10.44.0.3
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
100 615 100 615 0 0 454k 0 --:--:-- --:--:-- --:--:-- 600k
ubuntu@kubemaster:~$
Lab (Namespace Level)
ubuntu@kubemaster:~$ kgp -n database
NAME READY STATUS RESTARTS AGE
oracle 1/1 Running 2 (46m ago) 16d
ubuntu@kubemaster:~$ kg svc -n database
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
oracle ClusterIP 10.111.106.68 <none> 80/TCP 2m35s
ubuntu@kubemaster:~$ kg ns --show-labels
NAME STATUS AGE LABELS
aruntest Active 9d kubernetes.io/metadata.name=aruntest
database Active 16d app=db,kubernetes.io/metadata.name=database,ns=arunm
ubuntu@kubemaster:~$ cat networkpolicy-allow-be.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy-be
namespace: default
spec:
podSelector:
matchLabels:
run: backend
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
run: frontend
egress:
- to:
- namespaceSelector:
matchLabels:
app: db
ubuntu@kubemaster:~$
ubuntu@kubemaster:~$ k exec backend -- curl 10.44.0.3
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 615 100 615 0 0 970k 0 --:--:-- --:--:-- --:--:-- 600k