Updated on 2026-07-07 GMT+08:00

Network Policies

Network policies are designed by Kubernetes to restrict pod access. Like a firewall at the application layer, network policies enhance network security. The capabilities of network policies are determined by the network add-ons available in the cluster.

By default, if a namespace does not have any policies configured, pods in the namespace accept traffic from any ingress sources and send traffic to any egress destinations.

There are three kinds of selectors available for network policies:

  • namespaceSelector: selects particular namespaces in which all pods should be allowed as ingress sources or egress destinations.
  • podSelector: selects particular pods in the same namespace as the network policy which should be allowed as ingress sources or egress destinations.
  • ipBlock: selects particular CIDR blocks that are allowed as ingress sources or egress destinations. (Only egress CIDR blocks can be specified.)

Relationships Between Network Policies and Cluster Types

Cluster Type

CCE Standard Cluster

CCE Standard Cluster

CCE Turbo Cluster

Network Model

Tunnel Network

VPC Network

Cloud Native Network 2.0

Network policies

Enabled by default

Disabled by default (To use network policies, enable DataPlane V2 when creating a cluster.)

Disabled by default (To use network policies, enable DataPlane V2 when creating a cluster.)

Data plane implementation

OpenvSwitch

eBPF

eBPF

Cluster versions for ingress rules

All versions

v1.27.16-r30, v1.28.15-r20, v1.29.13-r0, v1.30.10-r0, v1.31.6-r0, or later

Clusters v1.34.3-r10 or later

Cluster versions for egress rules

v1.23 and later

Selector for ingress rules

namespaceSelector

podSelector

namespaceSelector

podSelector

ipBlock

namespaceSelector

podSelector

ipBlock

Selector for egress rules

namespaceSelector

podSelector

ipBlock

Supported OS

EulerOS

CentOS

Huawei Cloud EulerOS 2.0

Huawei Cloud EulerOS 2.0 is supported.

Clusters v1.28.15-r70, v1.29.15-r30, v1.30.14-r30, v1.31.10-r30, v1.32.6-r30, v1.33.5-r20, v1.34.1-r0, and later versions support Ubuntu 22.04.

Huawei Cloud EulerOS 2.0 is supported.

Clusters v1.28.15-r70, v1.29.15-r30, v1.30.14-r30, v1.31.10-r30, v1.32.6-r30, v1.33.5-r20, v1.34.1-r0, and later versions support Ubuntu 22.04.

IPv6 network policies

Not supported

Not supported

Supported

Secure containers

Not supported

Not supported

Not supported

IPBlock scope

Not limited

Subnets within the pod CIDR block, Service CIDR block, and node IP addresses

Subnets within the pod CIDR block, Service CIDR block, and node IP addresses

Limiting ClusterIP access through workload labels

Not supported

Supported

Supported

Limiting the internal cloud server CIDR block of 100.125.0.0/16

Supported

Supported

Supported

SCTP

Not supported

Supported

Supported

Always allowing access to pods on a node from other nodes

Supported

Supported

Supported

Configuring EndPort in network policies

Not supported

Supported

Supported

  • If you upgrade a CCE standard cluster with a tunnel network to a version that supports egress rules in in-place mode, the rules will not work because the node OS is not upgraded. In this case, reset the node.
  • When a network policy is enabled for a cluster with a tunnel network, a pod's source IP address is embedded in the optional field of packets it sends to any Service CIDR block. This enables the configuration of network policy rules on the destination pod, taking into account the source IP address of the pod.

Using Ingress Rules Through YAML

  • Scenario 1: Configure a network policy to allow only pods with specified labels to access the target pod.
    Figure 1 podSelector

    The pod labeled with role=db only permits access to its port 6379 from pods labeled with role=frontend. To achieve this, take the following steps:

    1. Create the access-ingress1.yaml file.
      vim access-ingress1.yaml

      File content:

      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        name: access-ingress1
        namespace: default
      spec:
        podSelector:                  # The rule applies only to pods labeled with role=db.
          matchLabels:
            role: db
        ingress:                      # This is an ingress rule.
        - from:
          - podSelector:              # Allow access only from pods labeled with role=frontend.
              matchLabels:
                role: frontend
          ports:                      # Only TCP can be used to access port 6379.
          - protocol: TCP
            port: 6379
    2. Run the following command to create the network policy defined in the access-ingress1.yaml file:
      kubectl apply -f access-ingress1.yaml

      Expected output:

      networkpolicy.networking.k8s.io/access-ingress1 created
  • Scenario 2: Configure a network policy to allow only pods in a specific namespace to access the target pod.
    Figure 2 namespaceSelector

    The pod labeled with role=db only permits access to its port 6379 from pods in the namespace labeled with project=myproject. To achieve this, take the following steps:

    1. Create the access-ingress2.yaml file.
      vim access-ingress2.yaml

      File content:

      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        name: access-ingress2
      spec:
        podSelector:                  # The rule applies only to pods labeled with role=db.
          matchLabels:
            role: db
        ingress:                      # This is an ingress rule.
        - from:
          - namespaceSelector:        # Allow access only from pods in namespaces labeled with project=myproject.
              matchLabels:
                project: myproject
          ports:                      # Only TCP can be used to access port 6379.
          - protocol: TCP
            port: 6379
    2. Run the following command to create the network policy defined in the access-ingress2.yaml file:
      kubectl apply -f access-ingress2.yaml

      Expected output:

      networkpolicy.networking.k8s.io/access-ingress2 created
  • Scenario 3: Configure a network policy to allow only pods with specific labels in a specific namespace to access the target pod.
    Figure 3 Using both podSelector and namespaceSelector

    The pod labeled with role=db only allows access to its port 6379 from pods with label role=frontend in the namespace labeled with project=myproject. To achieve this, take the following steps:

    1. Create the access-ingress3.yaml file.
      vim access-ingress3.yaml

      File content:

      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        name: access-ingress3
      spec:
        podSelector:                  # The rule applies only to pods labeled with role=db.
          matchLabels:
            role: db
        ingress:                      # This is an ingress rule.
        - from:
          - namespaceSelector:        # Allow access only from pods in namespaces labeled with project=myproject.
              matchLabels:
                project: myproject
            podSelector:              # Allow access only from pods labeled with role=frontend.
              matchLabels:
                role: frontend
          ports:                      # Only TCP can be used to access port 6379.
          - protocol: TCP
            port: 6379
    2. Run the following command to create the network policy defined in the access-ingress3.yaml file:
      kubectl apply -f access-ingress3.yaml

      Expected output:

      networkpolicy.networking.k8s.io/access-ingress3 created

Using Egress Rules Through YAML

  • Scenario 1: Controlled by a preset network policy, pods can only access specific addresses.
    Figure 4 ipBlock

    The pods labeled role=db only allow access to 172.16.0.0/16, excluding 172.16.0.40/32. To achieve this, take the following steps:

    1. Create the access-egress1.yaml file.
      vim access-egress1.yaml

      File content:

      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        name: access-egress1
        namespace: default
      spec:
        policyTypes:                  # This policy type must be specified for egress rules.
          - Egress
        podSelector:                  # The rule applies only to pods labeled with role=db.
          matchLabels:
            role: db
        egress:                       # This is an egress rule.
        - to:
          - ipBlock:
              cidr: 172.16.0.0/16    # Allows access to this CIDR block in the outbound direction.
              except:
              - 172.16.0.40/32        # Blocks access to this CIDR block, which is in the range specified by the cidr parameter.
    2. Run the following command to create the network policy defined in the access-egress1.yaml file:
      kubectl apply -f access-egress1.yaml

      Expected output:

      networkpolicy.networking.k8s.io/access-egress1 created
  • Scenario 2: Controlled by a preset network policy, a pod can only be accessed by pods with specific labels, while this pod itself can only access specific pods.
    Figure 5 Using both ingress and egress

    The pod labeled with role=db only permits access to its port 6379 from pods labeled with role=frontend, and this pod can only access the pods labeled with role=web. You can use the same rule to configure both ingress and egress in a network policy. To achieve this, take the following steps:

    1. Create the access-egress2.yaml file.
      vim access-egress2.yaml

      File content:

      apiVersion: networking.k8s.io/v1
      kind: NetworkPolicy
      metadata:
        name: access-egress2
        namespace: default
      spec:
        policyTypes:
        - Ingress
        - Egress
        podSelector:                  # The rule applies only to pods labeled with role=db.
          matchLabels:
            role: db
        ingress:                      # This is an ingress rule.
        - from:
          - podSelector:              # Allow access only from pods labeled with role=frontend.
              matchLabels:
                role: frontend
          ports:                      # Only TCP can be used to access port 6379.
          - protocol: TCP
            port: 6379
        egress:                       # This is an egress rule.
        - to:
          - podSelector:              # The rule takes effect for pods with the role=web label.
              matchLabels:
                role: web
    2. Run the following command to create the network policy defined in the access-egress2.yaml file:
      kubectl apply -f access-egress2.yaml

      Expected output:

      networkpolicy.networking.k8s.io/access-egress2 created