Kubernetes Network Policies – All you need to know!

Filed Under: Random
Kubernetes Network Policies

Hello, readers! This article talks about Kubernetes Network Policies and their implementation.

So, let us get started!! 馃檪


What is a Kubernetes Network Policy?

Before diving deep into the concept of Network Policy, let us pause for a moment to think over the below scenario.

Consider a situation wherein you want to have a BookMyShow kind of application. As an extended feature, you may want to introduce the concept of integration with Facebook, Gmail accounts for authentication and sales as a perspective.

And then you plan to containerize the entire application using Kubernetes as the orchestration tool. Having said this, as discussed earlier, all the containers reside within the pods. So, for us to implement the feature of integration with Facebook, we will want our pod to accept or transfer traffic only from some specific IPs or ports which is in cognition with Facebook.

To avail of this, Kubernetes offers us the concept of Network Policies.

With Network policies, we can apply rules at the pod level with regard to the communication with the network entities. These are confined to the application constructs and paves the way to decide the communication links from the pod to the external world.

On a broader scale, a Pod can usually communicate with the below entities:

  1. Another Namespace
  2. Other pods with the same or different namespaces
  3. IP addresses, ports, etc.

Using Network policy, we can define customized rules helping the pod to understand whether to accept/deny traffic from the above entities.


Type of Pods

In terms of Network Policies, we can divide the pods into the below types-

  1. Non-Isolated Pods : By default, all the pods belong to this category. That is, they are ready to accept traffic from any source without any restriction or rule.
  2. Isolated Pods : Once we apply a network policy to any pod, that specific pod can be termed as isolated. By this, the pod will reject all the connections that are not a part of the Network Policy.

The Network Policies never conflict. That is, if we apply multiple network policies on the pod, the pod will allow a union of the rules mentioned in the policies.


Creation of a Kubernetes Network Policy

In order to implement a network policy on any pod, it is essential for the cluster to have a network plugin. The network plugin is a networking solution for all the communication scenarios supported by Kubernetes.

Once we have the network solution in place, we can now apply the network policy on any pod.

Have a look at the below code-

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: demo-network-policy
  namespace: demo
spec:
  podSelector:
    matchLabels:
      role: app-1
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/26
    - namespaceSelector:
        matchLabels:
          project: app-1
    - podSelector:
        matchLabels:
          role: app-1
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 3027
  • podSelector: It enables us to select pods on which the Network policy will be applicable with the help of labels.
  • policyTypes: This parameter enables us to have different types of Network Policies such as Ingress ( from incoming traffic), Egress (to outgoing traffic), etc.
  • ingress: Here we specify the source traffic routes with the attribute from. With this, the pod allows traffic from the sourcrs mentioned here.
  • egress: In egress, we specify IP blocks, ports to which we can have a pod type connection.

In this example, we have included both ingress and egress rules as a part of the Network Policy.

  1. Ingress rules: It allows traffic from ipblock 172.17.0.0/16 except the range 172.17.1.0/26. Also, from the specific namespace and pod which matches the label app-1 and port 6379 over the TCP protocol.
  2. Egress rules: It sends traffic to the ipblock 10.0.0.0/24 and to connect to port 3027 over the TCP protocol.

Conclusion

By this, we have come to the end of this topic. Feel free to comment below, in case you come across any questions.

For more such posts related to Kubernetes, Stay tuned with us.

Till then, Happy Learning!! 馃檪

Leave a Reply

Your email address will not be published. Required fields are marked *

close
Generic selectors
Exact matches only
Search in title
Search in content