Network Policies
Network Policies are Kubernetes resources that control traffic flow between pods and network endpoints. By default, pods are non-isolated and accept traffic from any source. Network Policies allow you to specify how pods can communicate with each other and with other network endpoints.
How Network Policies Work
- Network Policies are namespace-scoped
- They use labels to select pods and define rules for traffic
- Policies are additive - if any policy allows a connection, it is allowed
- If no policies select a pod, all traffic is allowed (default behavior)
- Once a pod is selected by any Network Policy, it rejects all traffic not explicitly allowed
Policy Types
| Type | Description |
|---|---|
| Ingress | Controls incoming traffic to selected pods |
| Egress | Controls outgoing traffic from selected pods |
Resources
References
Default Deny All Ingress Traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: production
spec:
podSelector: {} # Selects all pods in namespace
policyTypes:
- Ingress
Default Deny All Egress Traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
Allow Traffic from Specific Pods
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
Allow Traffic from Specific Namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-monitoring
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: monitoring
Allow Egress to Specific CIDR and DNS
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-external-egress
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Egress
egress:
# Allow DNS
- to: []
ports:
- protocol: UDP
port: 53
# Allow specific external IPs
- to:
- ipBlock:
cidr: 10.0.0.0/8
except:
- 10.0.1.0/24
ports:
- protocol: TCP
port: 443
Complete Example: Database Access Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database-policy
namespace: production
spec:
podSelector:
matchLabels:
app: database
tier: backend
policyTypes:
- Ingress
- Egress
ingress:
# Only allow backend pods to connect
- from:
- podSelector:
matchLabels:
tier: backend
- namespaceSelector:
matchLabels:
environment: production
ports:
- protocol: TCP
port: 5432
egress:
# Allow DNS lookups
- to: []
ports:
- protocol: UDP
port: 53
Best Practices
- Start with Default Deny - Create a default deny policy, then explicitly allow required traffic
- Use Labels Consistently - Establish a labeling convention for apps, tiers, and environments
- Test Policies - Verify policies work as expected before applying to production
- Document Policies - Keep track of what traffic flows are allowed and why
- Monitor Traffic - Use network monitoring tools to detect policy violations
Activities
| Task | Description | Link |
|---|---|---|
| Try It Yourself | ||
| Network Policies | Create a policy to allow client pods with labels to access secure pod. | Network Policies |