CKA: Kubernetes Network Policy
Published
•4 min read
Introduction
By default, In k8s all pods can communicate to others across all namespaces and we can restrict or control that using network policy.
Network Policy (netpol) is a namespace-level component.
Network policy can be applied to pod or namespace level.
Lab (Pod Level)
- Verify communication between two pods
ubuntu@kubemaster:~$ kg svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
backend ClusterIP 10.100.2.3 <none> 80/TCP 16d
frontend ClusterIP 10.101.17.48 <none> 80/TCP 16d
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 23d
ubuntu@kubemaster:~$ kgp
NAME READY STATUS RESTARTS AGE
backend 1/1 Running 0 45s
frontend 1/1 Running 0 5m37s 45s
ubuntu@kubemaster:~$ k exec frontend -- curl backend
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 615 100 615 0 0 133k 0 --:--:-- --:--:-- --:--:-- 150k
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
ubuntu@kubemaster:~$
- Restrict communication using default deny policy
All pods within a namespace are not allowed to communicate with each other, and you must create specific Network Policies to enable communication between selected pods or namespaces.
ubuntu@kubemaster:~$ cat defaultdeny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ubuntu@kubemaster:~$ kg netpol
NAME POD-SELECTOR AGE
default-deny-ingress <none> 12s
ubuntu@kubemaster:~$ k exec frontend -- curl backend
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0^C
- Create netpol to establish communication from frontend to backend
ubuntu@kubemaster:~$ cat networkpolicy-allow-fe.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
run: frontend
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
run: backend
ubuntu@kubemaster:~$
ubuntu@kubemaster:~$ cat networkpolicy-allow-be.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy-be
namespace: default
spec:
podSelector:
matchLabels:
run: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
run: frontend
ubuntu@kubemaster:~$
ubuntu@kubemaster:~$ kg netpol
NAME POD-SELECTOR AGE
default-deny-ingress <none> 21m
test-network-policy run=frontend 12m
test-network-policy-be run=backend 6m58s
ubuntu@kubemaster:~$
ubuntu@kubemaster:~$ k exec frontend -- curl 10.44.0.3
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
100 615 100 615 0 0 454k 0 --:--:-- --:--:-- --:--:-- 600k
ubuntu@kubemaster:~$
Lab (Namespace Level)
ubuntu@kubemaster:~$ kgp -n database
NAME READY STATUS RESTARTS AGE
oracle 1/1 Running 2 (46m ago) 16d
ubuntu@kubemaster:~$ kg svc -n database
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
oracle ClusterIP 10.111.106.68 <none> 80/TCP 2m35s
ubuntu@kubemaster:~$ kg ns --show-labels
NAME STATUS AGE LABELS
aruntest Active 9d kubernetes.io/metadata.name=aruntest
database Active 16d app=db,kubernetes.io/metadata.name=database,ns=arunm
ubuntu@kubemaster:~$ cat networkpolicy-allow-be.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy-be
namespace: default
spec:
podSelector:
matchLabels:
run: backend
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
run: frontend
egress:
- to:
- namespaceSelector:
matchLabels:
app: db
ubuntu@kubemaster:~$
ubuntu@kubemaster:~$ k exec backend -- curl 10.44.0.3
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 615 100 615 0 0 970k 0 --:--:-- --:--:-- --:--:-- 600k
