Kubernetes Network Policies: A Practitioner’s Guide

Why We Need Network Policies

Illustration of allowing and denying traffic to pods

Requirements for Implementing Network Policies

Network Plugins

Writing & Applying Network Policies

Network Policy Resource Fields

Egress Rules

Ingress Rules

Walkthrough

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: network-policy-walkthrough-db
spec:
podSelector:
matchLabels:
component: database
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 192.168.1.2/32
- namespaceSelector:
matchLabels:
team: dba
- podSelector:
matchLabels:
component: backend
ports:
- protocol: TCP
port: 5432
$ kubectl describe networkpolicy network-policy-walkthrough-dbName:         network-policy-walkthrough-db
Namespace: default
Created on: 2021-08-30 18:06:48 +0200 CEST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: component=database
Allowing ingress traffic:
To Port: 5432/TCP
From:
IPBlock:
CIDR: 192.168.1.2/32
Except:
From:
NamespaceSelector: team=dba
From:
PodSelector: component=backend
Not affecting egress traffic
Policy Types: Ingress

Examples

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress-policy
spec:
podSelector: {}
policyTypes:
- Ingress
$ kubectl describe networkpolicies default-deny-ingress-policyName: default-deny-ingress-policy
Namespace: default
Created on: 2021-08-28 16:47:33 +0200 CEST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
<none> (Selected pods are isolated for ingress connectivity)
Not affecting egress traffic
Policy Types: Ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-debug
spec:
podSelector:
matchLabels:
component: app
ingress:
- from:
- podSelector:
matchLabels:
component: debug
namespaceSelector:
matchLabels:
space: monitoring
policyTypes:
- Ingress
$ kubectl describe networkpolicy allow-debugName:         allow-debug
Namespace: default
Created on: 2021-08-30 22:36:48 +0200 CEST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: component=app
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
NamespaceSelector: space=monitoring
PodSelector: component=debug
Not affecting egress traffic
Policy Types: Ingress

Monitoring Network Policies

$ kubectl get pods -o wideNAME                                READY   STATUS    RESTARTS   AGE   IP           NODE       NOMINATED NODE   READINESS GATES
nginx-deployment-66b6c48dd5-frsv9 1/1 Running 0 24m 10.0.0.136 valhalla <none> <none>
$ cilium endpoint listENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS ENFORCEMENT ENFORCEMENT
5 Enabled Disabled 50873 k8s:app=nginx 10.0.0.136 ready ...
$ cilium monitor --related-to 5
Press Ctrl-C to quit

level=info msg="Initializing dissection cache..." subsys=monitor
Policy verdict log: flow 0xf9da54c5 local EP ID 5, remote ID 1, dst port 80, proto 6, ingress true, action allow, match L3-Only, 10.0.0.147:39772 -> 10.0.0.136:80 tcp SYN
-> endpoint 5 flow 0xf9da54c5 identity 1->50873 state new ifindex lxc4eced79e6ca0 orig-ip 10.0.0.147: 10.0.0.147:39772 -> 10.0.0.136:80 tcp SYN
-> stack flow 0xbbd5210b identity 50873->1 state reply ifindex 0 orig-ip 0.0.0.0: 10.0.0.136:80 -> 10.0.0.147:39772 tcp SYN, ACK
-> endpoint 5 flow 0xf9da54c5 identity 1->50873 state established ifindex lxc4eced79e6ca0 orig-ip 10.0.0.147: 10.0.0.147:39772 -> 10.0.0.136:80 tcp ACK
-> endpoint 5 flow 0xf9da54c5 identity 1->50873 state established ifindex lxc4eced79e6ca0 orig-ip 10.0.0.147: 10.0.0.147:39772 -> 10.0.0.136:80 tcp ACK
-> stack flow 0xbbd5210b identity 50873->1 state reply ifindex 0 orig-ip 0.0.0.0: 10.0.0.136:80 -> 10.0.0.147:39772 tcp ACK
-> endpoint 5 flow 0xf9da54c5 identity 1->50873 state established ifindex lxc4eced79e6ca0 orig-ip 10.0.0.147: 10.0.0.147:39772 -> 10.0.0.136:80 tcp ACK, FIN
-> stack flow 0xbbd5210b identity 50873->1 state reply ifindex 0 orig-ip 0.0.0.0: 10.0.0.136:80 -> 10.0.0.147:39772 tcp ACK, FIN
-> endpoint 5 flow 0xf9da54c5 identity 1->50873 state established ifindex lxc4eced79e6ca0 orig-ip 10.0.0.147: 10.0.0.147:39772 -> 10.0.0.136:80 tcp ACK
Policy verdict log: flow 0xf9da54c5 local EP ID 5, remote ID 1, dst port 80, proto 6, ingress true, action allow, match L3-Only, 10.0.0.147:39772 -> 10.0.0.136:80 tcp SYN

Conclusion

Further Reading

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store