Help Center/ Cloud Container Engine/ Kubernetes Basics/ Kubernetes Networking/ Network Policies
Updated on 2024-10-10 GMT+08:00
View PDF
Share

Network Policies

Network policies are designed by Kubernetes to restrict pod access. It is equivalent to a firewall at the application layer to enhance network security. The capabilities of network policies are determined by the network add-ons available in the cluster.

By default, if a namespace does not have any policy, pods in the namespace accept traffic from any source and send traffic to any destination.

NetworkPolicy rules are classified into the following types:

  • namespaceSelector: This selects particular namespaces for which all pods should be allowed as ingress sources or egress destinations.
  • podSelector: This selects particular pods in the same namespace as the NetworkPolicy which should be allowed as ingress sources or egress destinations.
  • ipBlock: This selects particular IP CIDR ranges to allow as ingress sources or egress destinations. (Only egress support IP address blocks.)

Using Ingress Rules

  • Using podSelector to specify the access scope 
    apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:                  # The rule takes effect for pods with the role=db label.
    matchLabels:
      role: db
  ingress:                      # This is an ingress rule.
  - from:
    - podSelector:              # Only traffic from the pods with the "role=frontend" label is allowed.
        matchLabels:
          role: frontend
    ports:                      # Only TCP can be used to access port 6379.
    - protocol: TCP
      port: 6379

    The following figure shows how podSelector works.

    Figure 1 podSelector
  • Using namespaceSelector to specify the access scope 
    apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
spec:
  podSelector:                  # The rule takes effect for pods with the role=db label.
    matchLabels:
      role: db
  ingress:                      # This is an ingress rule.
  - from:
    - namespaceSelector:        # Only traffic from the pods in the namespace with the "project=myproject" label is allowed.
        matchLabels:
          project: myproject
    ports:                      # Only TCP can be used to access port 6379.
    - protocol: TCP
      port: 6379

    The following figure shows how namespaceSelector works.

    Figure 2 namespaceSelector
Parent topic: Kubernetes Networking