Network Policies
Network policies are designed by Kubernetes to restrict pod access. It is equivalent to a firewall at the application layer to enhance network security. The capabilities of network policies are determined by the network add-ons available in the cluster.
By default, if a namespace does not have any policy, pods in the namespace accept traffic from any source and send traffic to any destination.
NetworkPolicy rules are classified into the following types:
- namespaceSelector: This selects particular namespaces for which all pods should be allowed as ingress sources or egress destinations.
- podSelector: This selects particular pods in the same namespace as the NetworkPolicy which should be allowed as ingress sources or egress destinations.
- ipBlock: This selects particular IP CIDR ranges to allow as ingress sources or egress destinations. (Only egress support IP address blocks.)
Using Ingress Rules
- Using podSelector to specify the access scope
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: # The rule takes effect for pods with the role=db label. matchLabels: role: db ingress: # This is an ingress rule. - from: - podSelector: # Only traffic from the pods with the "role=frontend" label is allowed. matchLabels: role: frontend ports: # Only TCP can be used to access port 6379. - protocol: TCP port: 6379
The following figure shows how podSelector works.
Figure 1 podSelector
- Using namespaceSelector to specify the access scope
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy spec: podSelector: # The rule takes effect for pods with the role=db label. matchLabels: role: db ingress: # This is an ingress rule. - from: - namespaceSelector: # Only traffic from the pods in the namespace with the "project=myproject" label is allowed. matchLabels: project: myproject ports: # Only TCP can be used to access port 6379. - protocol: TCP port: 6379
The following figure shows how namespaceSelector works.
Figure 2 namespaceSelector
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot