Followers

Network policy in Kubernetes

  Network policy If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kuber...

 

Network policy

If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster. NetworkPolicies are an application-centric construct that allows you to specify how a pod is allowed to communicate with various network "entities"

Lab

Let's create a dev environment and production environment in the same multitenant cluster. Dev environment's web application can only communicate to db of dev env and Production web application can only communicate to prod db.

Let's first check the default behavior of pod communication

Step 1: Create two namespaces dev and prod.

        kubectl create ns dev

        kubectl create ns prod

Step 2: For testing purpose let's create nginx pod in both the environment.

         kubectl run devpod --image nginx -n dev

         kubectl run prodpod --image nginx -n prod

Step 3: Find the IP address of both the Pods 

         kubectl get pods -n dev -o wide

         kubectl get pods -n prod -o wide

Step 4: Connect prod pod from dev pod Consider prod nginx pod IP is 192.168.41.175 and dev pod IP is 192.168.41.174

        kubectl exec -it devpod -n dev -- curl 192.168.41.175

        kubectl exec -it prodpod -n prod -- curl 192.168.41.174

You will find that dev pod can browse the nginx website which is running in prod environment and vice versa.

Now let's apply the network policies.

Step 1: Let's provide label to both environment

      kubectl label namespaces dev env=dev

      kubectl label namespaces prod env=prod

Step 2: Add same label app=nginx-app to both the pods

      kubectl label pod devpod app=nginx-app -n dev

      kubectl label pod prodpod app=nginx-app -n prod

Step 3: Create a network policy in dev environment to allow only traffic from dev namespace. Let's name this manifest file as networkpolicy.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: dev
spec:
  podSelector:
    matchLabels:
         app: nginx-app
  policyTypes:
    - Ingress
  ingress:
  - from:
        - namespaceSelector:
            matchLabels:
                    env: dev


Step 4: Apply the network policy

         kubectl create -f networkpolicy.yaml

Step 5: Now try to access the dev pod from prod namespace and you will not be able to communicate it

         kubectl exec -it prodpod -n prod -- curl 192.168.41.174

Step 6: Define Egress Network policy to restrict outbound traffic.

   


apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: dev
spec:
  podSelector:
    matchLabels:
         app: nginx-app
  policyTypes:
    - Ingress
  ingress:
  - from:
        - namespaceSelector:
            matchLabels:
                    env: dev
  egress:
    - to:
        - ipBlock:
            cidr: 10.0.0.0/24
      ports:
        - protocol: TCP
          port: 5978


Step 7: After apply the above you are restricting outbound traffic and if you try to access prod nginx pod and you should not be able to access the pod.

One more Example

First, create one web application which is pointing to a database (web.yaml)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deploy
  labels:
    app: nginx-app
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: nginx-app
    spec:
      containers:
      - name: nginx-container
        image: ramansharma95/webapp
        ports:
        - containerPort: 80
  selector:
    matchLabels:
      app: nginx-app

kubectl create -f web.yaml

Create a database deployment (db.yaml)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: db-deploy
  labels:
    app: db-app
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: db-app
    spec:
      containers:
      - name: db-container
        image: ramansharma95/mysql
        ports:
        - containerPort: 3306
  selector:
    matchLabels:
      app: db-app

kubectl create -f db.yaml

Create a webservice(websvc.yaml)

apiVersion: v1
kind: Service
metadata:
  name: my-service
  labels:
    app: nginx-app
spec:
  selector:
    app: nginx-app
  type: NodePort
  ports:
  - nodePort: 31111
    port: 80
    targetPort: 80

kubectl create -f websvc.yaml
kubectl create -f websvc.yaml

Create a database service(dbsvc.yaml)

apiVersion: v1
kind: Service
metadata:
  name: db
  labels:
    app: db-app
spec:
  selector:
    app: db-app
  type: ClusterIP
  ports:
  - port: 3306
    targetPort: 3306

kubectl apply -f dbsvc.yaml

Create a network policy not to allow any pod to communicate to DB app(deny.yaml)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
          app: db-app
  ingress: []

kubectl create -f deny.yaml

Create a network policy to allow a set of pods to communicate with db (allow.yaml)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
          app: db-app
  ingress:
  - from:
        - namespaceSelector: {}
          podSelector:
           matchLabels:
            app: nginx-app

kubectl create -f allow.yaml

COMMENTS

Name

Ansible,6,AWS,1,Azure DevOps,1,Containerization with docker,2,DevOps,2,Docker Quiz,1,Docker Swarm,1,DockerCompose,1,ELK,2,git,2,Jira,1,Kubernetes,1,Kubernetes Quiz,5,SAST DAST Security Testing,1,SDLC Quiz,3,SonarQube,3,Splunk,2,vagrant kubernetes,1,YAML Basics,1,
ltr
item
DevOpsWorld: Network policy in Kubernetes
Network policy in Kubernetes
DevOpsWorld
https://www.devopsworld.co.in/2021/06/network-policy-in-kubernetes.html
https://www.devopsworld.co.in/
https://www.devopsworld.co.in/
https://www.devopsworld.co.in/2021/06/network-policy-in-kubernetes.html
true
5997357714110665304
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share to a social network STEP 2: Click the link on your social network Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy Table of Content