- source of truth: https://kubernetes.io/docs/concepts/services-networking/network-policies/
- N/w policies control traffic from/to pods
- Work began in early 2015 (1.2) - alpha stage and ended in 2017(stable - 1.7)
- you need a networking plugin like calico/weavenet/kuberouter to implement netpols
- Labels are used to pick pods
- What does the spec look like
- Which pods to apply it to
- For which direction
- ingress: -> pod
- egress: pod ->
- Rules for allowing
- Ingress: who can connect to the pod
- Egress: where can this pod connect to
- Example spec (show foo.yaml)
- Rules
- Traffic is allowed unless there is a network policy selecting it (the pod)
- Traffic is denied if there are network policies selecting the pod, but no rule which allows traffic.
- Which means: you can only write rules to allow traffic. i.ee default deny otherwise if a pod is selected by a netpol
- Traffic is allowed if there is atleast one policy allowing it.
- policy rules are additive, i.e OR'd and not AND'd
- netpols are scoped to the namespaces they are applied to.
- 3 ways to specify where the traffic can come from or go to (ingress and egress):
- podSelector: matches pods in the current namespace
- namespaceSelector: matches namespace using labels
- ipBlock
Last active
August 20, 2018 12:17
-
-
Save tasdikrahman/db43698db526194d8b36838e92a8a6c5 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kind: NetworkPolicy | |
| apiVersion: networking.k8s.io/v1 | |
| metadata: | |
| name: web-allow-all | |
| namespace: default | |
| spec: | |
| podSelector: | |
| matchLabels: | |
| app: web | |
| ingress: | |
| - {} | |
| # Empty ingress rule ({}) allows traffic from all pods in the current namespace, as well as other namespaces. It corresponds to: | |
| #- from: | |
| # podSelector: {} | |
| # namespaceSelector: {} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kind: NetworkPolicy | |
| apiVersion: networking.k8s.io/v1 | |
| metadata: | |
| name: web-deny-all | |
| spec: | |
| podSelector: | |
| matchLabels: | |
| app: web | |
| ingress: [] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: networking.k8s.io/v1 | |
| kind: NetworkPolicy | |
| metadata: | |
| name: foo-deny-external-egress | |
| spec: | |
| podSelector: | |
| matchLabels: | |
| app: foo | |
| policyTypes: | |
| - Egress | |
| egress: | |
| - ports: | |
| - port: 53 | |
| protocol: UDP | |
| - port: 53 | |
| protocol: TCP | |
| - to: | |
| - namespaceSelector: {} | |
| # This policy applies to pods with app=foo and in Egress (outbound) direction. | |
| # Similar to DENY egress traffic from an application example, this policy allows all outbound traffic on ports 53/udp and 53/tcp for DNS resolution. | |
| # to: specifies an empty namespaceSelector. This will select all pods in all namespaces, so the outbound traffic to pods in the cluster will be allowed. | |
| # And since they are not listed, traffic to the IP addresses outside the cluster are denied. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kind: NetworkPolicy | |
| spec: | |
| podSelector: | |
| matchSelectors: | |
| app: foo # for these pods | |
| tier: db | |
| ingress: | |
| - from: | |
| - podSelector: | |
| matchLabels: | |
| app: foo # allow traffic from these pods | |
| tier: backend |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kind: NetworkPolicy | |
| apiVersion: networking.k8s.io/v1 | |
| metadata: | |
| name: api-allow | |
| spec: | |
| podSelector: | |
| matchLabels: | |
| app: bookstore | |
| role: api | |
| ingress: | |
| - from: | |
| - podSelector: | |
| matchLabels: | |
| app: bookstore |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kind: NetworkPolicy | |
| apiVersion: networking.k8s.io/v1 | |
| metadata: | |
| name: web-allow-all-ns-monitoring | |
| namespace: default | |
| spec: | |
| podSelector: | |
| matchLabels: | |
| app: web | |
| ingress: | |
| - from: | |
| - namespaceSelector: # chooses all pods in namespaces labelled with team=operations | |
| matchLabels: | |
| team: operations | |
| podSelector: # chooses pods with type=monitoring | |
| matchLabels: | |
| type: monitoring |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment