Network Policies in Kubernetes¶
Introduction¶
Network Policies in Kubernetes define how pods can communicate with each other and with network endpoints. They control the flow of traffic at the IP level, enhancing cluster security by limiting access to sensitive components.
Best Practices for Network Policies¶
- Deny by default: Implement policies that deny all traffic by default, then selectively allow needed connections.
- Limit pod communication: Ensure that only necessary pods can communicate with each other.
- Use labels effectively: Utilize Kubernetes labels to apply network policies to specific pod groups.
- Apply ingress and egress policies: Define both ingress and egress policies for more control over the traffic.
Example: Deny All Traffic¶
This network policy denies all incoming and outgoing traffic to and from the pods in the default namespace:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Example: Allowing Traffic from Specific Pods¶
The following example allows traffic only from pods with the label role=frontend to pods with the label role=db on port 3306 (MySQL):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-db
namespace: production
spec:
podSelector:
matchLabels:
role: db
ingress:
- from:
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 3306
Example: Egress Network Policy¶
The following policy allows outgoing traffic to the internet only on port 443 (HTTPS):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-internet
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 443
Monitoring Network Policies¶
Monitoring traffic flow and policy effectiveness is crucial for debugging. Use tools such as Calico, Weave, or Cilium to manage and visualize network traffic and policy enforcement.