Help Center> Cloud Container Engine> User Guide> Old Console> Networking> Network Policies
View PDF

Network Policies

As the service logic becomes increasingly complex, many applications require network calls between modules. Traditional external firewalls or application-based firewalls cannot meet the requirements. Network policies are urgently needed between modules, service logic layers, or functional teams in a large cluster.

CCE has enhanced the Kubernetes-based network policy feature, allowing network isolation in a cluster by configuring network policies. This means that a firewall can be set between pods.

For example, to make a payment system accessible only to specified components for security purposes, you can configure network policies.

Notes and Constraints

  • Only clusters that use the tunnel network model support network policies.
  • Egresses are not supported for network policies.
  • Network isolation is not supported for IPv6 addresses.

Precautions

If no network policies have been configured for a workload, such as workload-1, other workloads in the same cluster can access workload-1.

Creating a Network Policy

  1. Log in to the CCE console. In the navigation pane, choose Resource Management > Network. On the Network Policies tab page, click Create Network Policy.

    • Network Policy Name: Specify a network policy name.
    • Cluster Name: Select a cluster to which the network policy belongs.
    • Namespace: Select a namespace in which the network policy is applied.
    • Workload

      Click Select Workload. In the dialog box displayed, select a workload for which the network policy is to be created, for example, workload-1. Then, click OK.

    • Rules: Click Add Rule, set the parameters listed in Table 1, and click OK.
      Table 1 Parameters for adding a rule

      Parameter

      Description

      Direction

      Only Inbound is supported, indicating that the whitelisted workloads access the current workload (workload-1 in this example).

      Protocol

      Select a protocol. Currently, the TCP and UDP protocols are supported. The ICMP protocol is not supported.

      Destination Container Port

      Specify a port on which the workload in the container image listens. The Nginx application listens on port 80.

      If no container port is specified, all ports can be accessed by default.

      Whitelisted Workloads

      Select other workloads that can access the current workload. These workloads will access the current workload at the destination container port.

      • Namespace: All workloads in the selected namespace(s) are added to the whitelist. That is, all workloads in the namespace(s) can access workload-1.
      • Workload: The selected workloads can access workload-1. Only other workloads in the same namespace as workload-1 can be selected.

  2. Click Create.
  3. Repeat the preceding steps to add more network policies for the current workload when other ports need to be accessed by some workloads.

    After the network policies are created, only the specified workloads or workloads in the specified namespaces can access the current workload.

Parent topic: Networking