Empowering Security and Control with Kubernetes Network Policies

Introduction

Network Policies is a Kubernetes resource that controls the traffic between pods. Network policy lets you secure access to and from their applications. The primary goal of network policies is to enhance the security and segmentation of your Kubernetes cluster. By default, pods in a Kubernetes cluster can communicate with each other freely, regardless of their location or purpose. However, you may want to restrict this communication to specific pods or namespaces in many scenarios.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

What is Network Policy?

Network policy is Kubernetes resource which controls traffic between pods. They allow you to define rules that determine which pods can communicate with each other and what types of communication are permitted. To route the traffic, it uses labels to select the pod and direct the traffic toward those pods.

Network policies provide a fine-grained level of control over pod-to-pod communication, enhancing security and isolation within the cluster.

Network policies are applied to CNI plugins, and there are some popular CNI plugins like Calico, weavenet.

network

Image Source: k21academy

How does Network Policy Work?

There can be numerous situations when you permit or deny traffic from any specific or different sources.

Rules:

Traffic is allowed if no policy is applied.
Communication is denied if the policy is applied.
Traffic is allowed if there is one policy that allows it.

Network Policy Specification

PodSelector: This selects the particular pod in the specified namespace for ingress or egress of traffic.
Policy Types: This includes ingress or egress arguments that need to mention.
Ingress: This includes the inbound traffic.
Egress: This includes the outbound traffic.

Default Network Policies

Deny all ingress Traffic: This will deny all incoming traffic.

apiVersion: networking.k8s.io/v1 
kind: NetworkPolicy 
metadata: 
  name: default-deny-ingress 
spec: 
  podSelector: {} 
  policyTypes: 
  - Ingress

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

spec:

podSelector: {}

policyTypes:

- Ingress

2. Allow all ingress Traffic: This will all incoming traffic.

apiVersion: networking.k8s.io/v1 
kind: NetworkPolicy 
metadata: 
  name: allow-all-ingress 
spec: 
  podSelector: {} 
  ingress: 
  - {} 
  policyTypes: 
  - Ingress

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

spec:

podSelector: {}

ingress:

- {}

policyTypes:

- Ingress

Deny all Egress Traffic: This will deny all outbound traffic.

apiVersion: networking.k8s.io/v1 
kind: NetworkPolicy 
metadata: 
  name: default-deny-egress 
spec: 
  podSelector: {} 
  policyTypes: 
  - Egress

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

spec:

podSelector: {}

policyTypes:

- Egress

4. Allow all Egress Traffic: This will all outbound traffic.

apiVersion: networking.k8s.io/v1 
kind: NetworkPolicy 
metadata: 
  name: allow-all-ingress 
spec: 
  podSelector: {} 
  ingress: 
  - {} 
  policyTypes: 
  - Egress

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

spec:

podSelector: {}

ingress:

- {}

policyTypes:

- Egress

Custom Network policies

We have three namespaces named ns1, ns2, ns3, and pods under each namespace. We want only pods under ns1 to allow traffic only from pods under ns3 on port 80.

apiVersion: networking.k8s.io/v1  
kind: NetworkPolicy  
metadata: 
  name: test-network-policy 
  namespace: ns1 
spec: 
podSelector: {}  
policyTypes: 
- Ingress 
ingress: 
  - from: 
      - namespaceSelector: 
          matchLabels: 
            kubernetes.io/metadata.name: ns3 
  ports: 
  - protocol: TCP 
    port: 80

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

namespace: ns1

spec:

podSelector: {}

policyTypes:

- Ingress

ingress:

- from:

- namespaceSelector:

matchLabels:

kubernetes.io/metadata.name: ns3

ports:

- protocol: TCP

port: 80

Conclusion

Kubernetes network policies offer a powerful means to enforce network-level security & control within a Kubernetes cluster. By defining and applying these policies, you can enhance the isolation of your applications, restrict communication to specific pods, and mitigate potential security risks within the cluster.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

FAQs

1. How is network policy enforced?

ANS: – Network policies are enforced by the Network CNI plugin. CNI is installed in Kubernetes clusters like Calico or weavenet.

2. What is the purpose of network policy?

ANS: – Policy determine which Pods and Services can access one another inside your cluster. Defining network policy helps you enable things like defense in depth when your cluster is serving a multi-level application.

3. Are network policies namespace-specific in Kubernetes?

ANS: – Network policies in Kubernetes are namespace-specific by default. When you create a network policy, it is associated with a specific namespace. The policy only affects the pods within that namespace. This allows you to define different network policies for different namespaces, providing isolation and granular control over network traffic between pods in different namespaces.