What is NetworkPolicy in kubernetes?
In Kubernetes clusters, a firewall is used for controlling traffic at the IP level or port level. NetworkPolicy acts as a firewall in the cluster. It will allow you to define some firewall rules, like which pod is allowed to accept an incoming request or an outgoing request. It also helps to prevent sensitive resources from public access of all pods and limit the damage if you have any risk.
Target Pod Selector
spec:
podSelector:
matchLabels:
app: product-db
The podSelector targets a group of pods that have the label app: product-db, and the network policy is applied to those pods.
Types of network policies
policyTypes:
- Ingress # applicable to incoming requests
- Egress # applicable to outgoing requests
Kubernetes network policy has two types, one of them is Ingress, and another is Egress, where Ingress controls incoming requests to the selected pod and Egress controls outgoing requests from the pod selected by podSelector. If and only if policy is not defined, all incoming requests to pod or outgoing requests are unrestricted.
Ingress Policy:
ingress:
- from:
- podSelector:
matchLabels:
name: product-api
If the ingress policy is configured, then only the allowed source can send traffic to the pod selected by podSelector. In the given example, the pod labeled with product-api is only allowed to send requests to the pod labeled with product-db from the given namespace according to current policy.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: product-db
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
name: product-api
ports:
- port: 3306
protocol: TCP
More Ingress Rules
ingress:
- from:
- podSelector:
matchLabels:
name: product-api
- nameSpaceSelector:
product-types: food-and-beverage
this block allows incoming request from two sources
- Pods in the specified namespace that has the label name: product-api
- Pods within the entire namespace that have the label product-types: food-and-beverage ```yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: database-network-policy namespace: default spec: podSelector: matchLabels: app: product-db policyTypes:
- Ingress ingress:
- from:
- podSelector: matchLabels: name: product-api
- nameSpaceSelector: product-types: food-and-beverage ports:
- port: 3306 protocol: TCP ```
Egress policy:
When the Egress network policy has been configured, then the behavior in the pod selected by selector can send outgoing requests to the destination pod; in the given example, the pod labeled with product-db will be allowed to send the outgoing traffic to the pod labeled with product-types-db or 192.168.0.105/24 from the given namespace according to current policy.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: payment-api-network-policy
spec:
podSelector:
matchLabels:
app: product-db
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
name: product-types-db
- ipBlock:
cidr: 192.168.0.105/24
ports:
- protocol: TCP
port: 3306
Ref:
