network Policies

title: “network Policies”
date: 2020-12-08T20:57:13
slug: create-a-default-deny-policy

podSelector: This selects particular Pods in the same namespace as the NetworkPolicy which should be allowed as ingress sources or egress destinations.
namespaceSelector: This selects particular namespaces for which all Pods should be allowed as ingress sources or egress destinations.
namespaceSelector and podSelector: A single to/from entry that specifies both namespaceSelector and podSelector selects particular Pods within particular namespaces. Be careful to use correct YAML syntax; this policy:

Namespace AND Pod Selector

 - from:
 - namespaceSelector:
 matchLabels:
 user: alice
 podSelector:
 matchLabels:
 role: client

Namespace OR Pod Selector

 - from:
 - namespaceSelector:
 matchLabels:
 user: alice
 - podSelector:
 matchLabels:
 role: client

Create a default deny policy

cat default-deny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: default-deny
 namespace: default
spec:
 podSelector: {}
 policyTypes:
 - Ingress
 - Egress

Allow Traffic from Pod1 (label: “run: frontend”) to Pod2 (label: “run: backend”)
This Policy is needed to allow outgoing Traffic from Pod1 (only to Pods with label “run: backend”)

cat frontend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: frontend
 namespace: default
spec:
 podSelector:
 matchLabels:
 run: frontend
 policyTypes:
 - Egress
 egress:
 - to:
 - podSelector:
 matchLabels:
 run: backend

This Policy is needed to allow Incoming Traffic on Pod2 (only from Pods with label “run: frontend”)

cat backend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: backend
 namespace: default
spec:
 podSelector:
 matchLabels:
 run: backend
 policyTypes:
 - Ingress
 ingress:
 - from:
 - podSelector:
 matchLabels:
 run: frontend

Allow Connection from Pod2 (label: run: backend) to the Namespace cassandra (Namespace with Label “ns: cassandra”)
(It works as long no default deny Policy is applied to ns cassandra)

cat backend.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: backend
 namespace: default
spec:
 podSelector:
 matchLabels:
 run: backend
 policyTypes:
 - Ingress
 - Egress
 ingress:
 - from:
 - podSelector:
 matchLabels:
 run: frontend
 egress:
 - to:
 - namespaceSelector:
 matchLabels:
 ns: cassandra

Allow Incoming Traffic from a Namespace with Label “id: default” to Pod with label “run: cassandra” in namespace cassandra

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: cassandra
 namespace: cassandra
spec:
 podSelector:
 matchLabels:
 run: cassandra
 policyTypes:
 - Ingress
 ingress:
 - from:
 - namespaceSelector:
 matchLabels:
 ns: default
Print Friendly, PDF & Email