Understanding Kubernetes Network Policies. A Friendly Guide

In Kubernetes, effectively managing communication between different parts of your application is crucial for security and efficiency. That’s where Network Policies come into play. In this article, we’ll explore what Kubernetes Network Policies are, how they work, and provide some practical examples using YAML files. We’ll break it down in simple terms. Let’s go for it!

What are Kubernetes Network Policies?

Kubernetes Network Policies are rules that define how groups of Pods (the smallest deployable units in Kubernetes) can interact with each other and with other network endpoints. These policies allow or restrict traffic based on several factors, such as namespaces, labels, and ports.

Key Concepts

Network Policy

A Network Policy specifies the traffic rules for Pods. It can control both incoming (Ingress) and outgoing (Egress) traffic. Think of it as a security guard that only lets certain types of traffic in or out based on predefined rules.

Selectors

Selectors are used to choose which Pods the policy applies to. They can be based on labels (key-value pairs assigned to Pods), namespaces, or both. This flexibility allows for precise control over traffic flow.

Ingress and Egress Rules

  • Ingress Rules: These control incoming traffic to Pods. They define what sources can send traffic to the Pods and under what conditions.
  • Egress Rules: These control outgoing traffic from Pods. They specify what destinations the Pods can send traffic to and under what conditions.

Practical Examples with YAML

Let’s look at some practical examples to understand how Network Policies are defined and applied in Kubernetes.

Example 1: Allow Ingress Traffic from Specific Pods

Suppose we have a database Pod that should only receive traffic from application Pods labeled role=app. Here’s how we can define this policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-app-to-db
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: app

In this example:

  • podSelector selects Pods with the label role=db.
  • ingress rule allows traffic from Pods with the label role=app.

Example 2: Deny All Ingress Traffic

If you want to ensure that no Pods can communicate with a particular group of Pods, you can define a policy to deny all ingress traffic:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: sensitive
  ingress: []

In this other example:

  • podSelector selects Pods with the label role=sensitive.
  • An empty ingress rule (ingress: []) means no traffic is allowed in.

Example 3: Allow Egress Traffic to Specific External IPs

Now, let’s say we have a Pod that needs to send traffic to a specific external service, such as a payment gateway. We can define an egress policy for this:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-to-external
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: payment-client
  egress:
  - to:
    - ipBlock:
        cidr: 203.0.113.0/24
    ports:
    - protocol: TCP
      port: 443

In this last example:

  • podSelector selects Pods with the label role=payment-client.
  • egress rule allows traffic to the external IP range 203.0.113.0/24 on port 443 (typically used for HTTPS).

In Summary

Kubernetes Network Policies are powerful tools that help you control traffic flow within your cluster. You can create a secure and efficient network environment for your applications by using selectors and defining ingress and egress rules.
I hope this guide has demystified the concept of Network Policies and shown you how to implement them with practical examples. Remember, the key to mastering Kubernetes is practice, so try out these examples and see how they can enhance your deployments.

Share