Updated on 2024-10-10 GMT+08:00

Network Policies

Network policies are designed by Kubernetes to restrict pod access. It is equivalent to a firewall at the application layer to enhance network security. The capabilities of network policies are determined by the network add-ons available in the cluster.

By default, if a namespace does not have any policy, pods in the namespace accept traffic from any source and send traffic to any destination.

NetworkPolicy rules are classified into the following types:

  • namespaceSelector: This selects particular namespaces for which all pods should be allowed as ingress sources or egress destinations.
  • podSelector: This selects particular pods in the same namespace as the NetworkPolicy which should be allowed as ingress sources or egress destinations.
  • ipBlock: This selects particular IP CIDR ranges to allow as ingress sources or egress destinations. (Only egress support IP address blocks.)

Using Ingress Rules

  • Using podSelector to specify the access scope
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: test-network-policy
      namespace: default
    spec:
      podSelector:                  # The rule takes effect for pods with the role=db label.
        matchLabels:
          role: db
      ingress:                      # This is an ingress rule.
      - from:
        - podSelector:              # Only traffic from the pods with the "role=frontend" label is allowed.
            matchLabels:
              role: frontend
        ports:                      # Only TCP can be used to access port 6379.
        - protocol: TCP
          port: 6379

    The following figure shows how podSelector works.

    Figure 1 podSelector
  • Using namespaceSelector to specify the access scope
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: test-network-policy
    spec:
      podSelector:                  # The rule takes effect for pods with the role=db label.
        matchLabels:
          role: db
      ingress:                      # This is an ingress rule.
      - from:
        - namespaceSelector:        # Only traffic from the pods in the namespace with the "project=myproject" label is allowed.
            matchLabels:
              project: myproject
        ports:                      # Only TCP can be used to access port 6379.
        - protocol: TCP
          port: 6379

    The following figure shows how namespaceSelector works.

    Figure 2 namespaceSelector