Voiced by Amazon Polly |
Introduction
Network Policies is a Kubernetes resource that controls the traffic between pods. Network policy lets you secure access to and from their applications. The primary goal of network policies is to enhance the security and segmentation of your Kubernetes cluster. By default, pods in a Kubernetes cluster can communicate with each other freely, regardless of their location or purpose. However, you may want to restrict this communication to specific pods or namespaces in many scenarios.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
What is Network Policy?
Network policy is Kubernetes resource which controls traffic between pods. They allow you to define rules that determine which pods can communicate with each other and what types of communication are permitted. To route the traffic, it uses labels to select the pod and direct the traffic toward those pods.
Network policies are applied to CNI plugins, and there are some popular CNI plugins like Calico, weavenet.
Image Source: k21academy
How does Network Policy Work?
There can be numerous situations when you permit or deny traffic from any specific or different sources.
Rules:
- Traffic is allowed if no policy is applied.
- Communication is denied if the policy is applied.
- Traffic is allowed if there is one policy that allows it.
Network Policy Specification
- PodSelector: This selects the particular pod in the specified namespace for ingress or egress of traffic.
- Policy Types: This includes ingress or egress arguments that need to mention.
- Ingress: This includes the inbound traffic.
- Egress: This includes the outbound traffic.
Default Network Policies
- Deny all ingress Traffic: This will deny all incoming traffic.
1 2 3 4 5 6 7 8 |
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress spec: podSelector: {} policyTypes: - Ingress |
2. Allow all ingress Traffic: This will all incoming traffic.
1 2 3 4 5 6 7 8 9 10 |
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-ingress spec: podSelector: {} ingress: - {} policyTypes: - Ingress |
- Deny all Egress Traffic: This will deny all outbound traffic.
1 2 3 4 5 6 7 8 |
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress spec: podSelector: {} policyTypes: - Egress |
4. Allow all Egress Traffic: This will all outbound traffic.
1 2 3 4 5 6 7 8 9 10 |
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-all-ingress spec: podSelector: {} ingress: - {} policyTypes: - Egress |
Custom Network policies
We have three namespaces named ns1, ns2, ns3, and pods under each namespace. We want only pods under ns1 to allow traffic only from pods under ns3 on port 80.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: ns1 spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: ns3 ports: - protocol: TCP port: 80 |
Conclusion
Kubernetes network policies offer a powerful means to enforce network-level security & control within a Kubernetes cluster. By defining and applying these policies, you can enhance the isolation of your applications, restrict communication to specific pods, and mitigate potential security risks within the cluster.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.
FAQs
1. How is network policy enforced?
ANS: – Network policies are enforced by the Network CNI plugin. CNI is installed in Kubernetes clusters like Calico or weavenet.
2. What is the purpose of network policy?
ANS: – Policy determine which Pods and Services can access one another inside your cluster. Defining network policy helps you enable things like defense in depth when your cluster is serving a multi-level application.
3. Are network policies namespace-specific in Kubernetes?
ANS: – Network policies in Kubernetes are namespace-specific by default. When you create a network policy, it is associated with a specific namespace. The policy only affects the pods within that namespace. This allows you to define different network policies for different namespaces, providing isolation and granular control over network traffic between pods in different namespaces.

WRITTEN BY Shubh Dadhich
Comments