Network policy If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kuber...
Network policy
If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster. NetworkPolicies are an application-centric construct that allows you to specify how a pod is allowed to communicate with various network "entities"
Lab
Let's create a dev environment and production environment in the same multitenant cluster. Dev environment's web application can only communicate to db of dev env and Production web application can only communicate to prod db.
Let's first check the default behavior of pod communication
Step 1: Create two namespaces dev and prod.
kubectl create ns dev
kubectl create ns prod
Step 2: For testing purpose let's create nginx pod in both the environment.
kubectl run devpod --image nginx -n dev
kubectl run prodpod --image nginx -n prod
Step 3: Find the IP address of both the Pods
kubectl get pods -n dev -o wide
kubectl get pods -n prod -o wide
Step 4: Connect prod pod from dev pod Consider prod nginx pod IP is 192.168.41.175 and dev pod IP is 192.168.41.174
kubectl exec -it devpod -n dev -- curl 192.168.41.175
kubectl exec -it prodpod -n prod -- curl 192.168.41.174
You will find that dev pod can browse the nginx website which is running in prod environment and vice versa.
Now let's apply the network policies.
Step 1: Let's provide label to both environment
kubectl label namespaces dev env=dev
kubectl label namespaces prod env=prod
Step 2: Add same label app=nginx-app to both the pods
kubectl label pod devpod app=nginx-app -n dev
kubectl label pod prodpod app=nginx-app -n prod
Step 3: Create a network policy in dev environment to allow only traffic from dev namespace. Let's name this manifest file as networkpolicy.yaml
Step 4: Apply the network policy
kubectl create -f networkpolicy.yaml
Step 5: Now try to access the dev pod from prod namespace and you will not be able to communicate it
kubectl exec -it prodpod -n prod -- curl 192.168.41.174
Step 6: Define Egress Network policy to restrict outbound traffic.
Step 7: After apply the above you are restricting outbound traffic and if you try to access prod nginx pod and you should not be able to access the pod.
One more Example
First, create one web application which is pointing to a database (web.yaml)
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deploy
labels:
app: nginx-app
spec:
replicas: 1
template:
metadata:
labels:
app: nginx-app
spec:
containers:
- name: nginx-container
image: ramansharma95/webapp
ports:
- containerPort: 80
selector:
matchLabels:
app: nginx-app
kubectl create -f web.yaml
Create a database deployment (db.yaml)
apiVersion: apps/v1
kind: Deployment
metadata:
name: db-deploy
labels:
app: db-app
spec:
replicas: 1
template:
metadata:
labels:
app: db-app
spec:
containers:
- name: db-container
image: ramansharma95/mysql
ports:
- containerPort: 3306
selector:
matchLabels:
app: db-app
kubectl create -f db.yaml
Create a webservice(websvc.yaml)
apiVersion: v1
kind: Service
metadata:
name: my-service
labels:
app: nginx-app
spec:
selector:
app: nginx-app
type: NodePort
ports:
- nodePort: 31111
port: 80
targetPort: 80
kubectl create -f websvc.yaml
kubectl create -f websvc.yaml
Create a database service(dbsvc.yaml)
apiVersion: v1
kind: Service
metadata:
name: db
labels:
app: db-app
spec:
selector:
app: db-app
type: ClusterIP
ports:
- port: 3306
targetPort: 3306
kubectl apply -f dbsvc.yaml
Create a network policy not to allow any pod to communicate to DB app(deny.yaml)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db-app
ingress: []
kubectl create -f deny.yaml
Create a network policy to allow a set of pods to communicate with db (allow.yaml)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db-app
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: nginx-app
kubectl create -f allow.yaml
COMMENTS