Kubernetes Network Policies

Network Policies in Kubernetes are crucial for controlling the communication between pods and services within a cluster. By default, all pods can communicate with each other. Network Policies help enforce rules to restrict this communication based on defined criteria.

2.1 Definitions

• Pod: The smallest deployable unit in Kubernetes, which can contain one or more containers.
• Network Policy: A specification of how groups of pods are allowed to communicate with each other and other network endpoints.
• Selector: A mechanism to select a group of pods (based on labels) to which the network policy applies.

2.2 Types of Network Policies

• Ingress Policies: Control the incoming traffic to the selected pods.
• Egress Policies: Control the outgoing traffic from the selected pods.

3.1 Creating a Network Policy

Using the following YAML configuration, you can create a basic Network Policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-nginx
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: nginx
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend

This policy allows only pods with the label app: frontend to communicate with pods having the label app: nginx.

3.2 Egress Policy Example

Here's an example of an Egress Policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-egress
  namespace: default
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: database

This policy denies all egress traffic, allowing only pods with the label app: database to receive traffic from the selected pods.

• Always start with a default deny policy to block all traffic.
• Use specific pod selectors to limit the scope of the policy.
• Regularly review and update network policies as your application evolves.
• Test policies in a staging environment before deploying them to production.