Network Policies

Back

Loading concept...

🛡️ Kubernetes Network Policies: The Security Guards of Your Cluster

The Story: Your Cluster is a Gated Community

Imagine your Kubernetes cluster as a big apartment building. Each apartment (Pod) has different people (containers) living inside. Now, without any rules, anyone could knock on any door and walk into any apartment! 😱

That’s where Network Policies come in. They’re like security guards at each apartment door, checking IDs and deciding who can come in and who can go out.

🏠 What Are Network Policies?

Think of Network Policies as “No Entry” signs with a guest list.

By default, Kubernetes is like a friendly neighborhood where everyone can talk to everyone. But sometimes, you need rules:

  • 🚫 “Only my friends from Building A can visit”
  • 🚫 “I can only go to the grocery store (port 80), not the casino (port 443)”
  • 🚫 “Nobody comes in unless they’re on my list”

Simple Definition:

A Network Policy is a set of rules that controls how Pods communicate with each other and with the outside world.

Real-World Example

Your “payment” Pod should only talk to:

  • ✅ The “database” Pod
  • ✅ The “logging” Pod
  • ❌ NOT the “games” Pod
  • ❌ NOT random internet traffic

📜 Network Policy Rules: The Guest List

Every Network Policy has rules that answer three questions:

Question What it means
WHO? Which Pods does this rule apply to?
IN or OUT? Is traffic coming in (ingress) or going out (egress)?
FROM/TO? Where is the traffic coming from or going to?

The Three Types of Rules

graph TD
    A["Network Policy"] --> B["Ingress Rules"]
    A --> C["Egress Rules"]
    B --> D["Who can come IN?"]
    C --> E["Where can I go OUT?"]

🚪 Ingress = Incoming Traffic

“Who is allowed to knock on MY door?”

ingress:
  - from:
      - podSelector:
          matchLabels:
            role: frontend
    ports:
      - port: 80

Translation: “Only Pods labeled role: frontend can visit me, and only through port 80.”

🚀 Egress = Outgoing Traffic

“Where am I allowed to go?”

egress:
  - to:
      - podSelector:
          matchLabels:
            role: database
    ports:
      - port: 5432

Translation: “I can only visit Pods labeled role: database on port 5432.”

🎯 Network Policy Selectors: Finding the Right Pods

Selectors are like name tags that help the security guard identify who’s who.

Three Types of Selectors

graph TD
    A["Selectors"] --> B["podSelector"]
    A --> C["namespaceSelector"]
    A --> D["ipBlock"]
    B --> E["Match Pods by labels"]
    C --> F["Match entire namespaces"]
    D --> G["Match IP addresses"]

1️⃣ Pod Selector

“Find Pods wearing THIS name tag”

podSelector:
  matchLabels:
    app: web
    tier: frontend

Translation: “Only Pods with BOTH labels app: web AND tier: frontend

2️⃣ Namespace Selector

“Find everyone in THIS building”

namespaceSelector:
  matchLabels:
    environment: production

Translation: “Allow traffic from ANY Pod in namespaces labeled environment: production

3️⃣ IP Block Selector

“Allow visitors from THESE addresses”

ipBlock:
  cidr: 192.168.1.0/24
  except:
    - 192.168.1.100/32

Translation: “Allow traffic from 192.168.1.0 to 192.168.1.255, EXCEPT 192.168.1.100”

🔀 Combining Selectors

You can mix and match! Here’s a powerful combo:

ingress:
  - from:
      - namespaceSelector:
          matchLabels:
            team: payments
        podSelector:
          matchLabels:
            role: api

Translation: “Only allow Pods labeled role: api that are ALSO in namespaces labeled team: payments

🚧 Default Deny Policies: Lock Everything Down First!

This is the golden rule of network security:

“Deny everything by default, then allow only what’s needed.”

Why Default Deny?

Imagine leaving all apartment doors wide open and then trying to remember which ones to lock.

Instead:

  1. 🔐 Lock ALL doors first
  2. 🔑 Give keys only to trusted visitors

Default Deny All Ingress

“Nobody comes in unless I say so!”

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress

What’s happening here?

  • podSelector: {} = Select ALL Pods in this namespace
  • policyTypes: [Ingress] = Apply to incoming traffic
  • No ingress rules = No incoming traffic allowed!

Default Deny All Egress

“Nobody goes out unless I say so!”

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-egress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Egress

Default Deny BOTH (Ultimate Lockdown)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

Warning! 🚨 After applying this, your Pods can’t talk to ANYONE—not even DNS! You’ll need to add specific allow rules.

🎨 Putting It All Together: A Complete Example

Here’s a real-world scenario for a three-tier app:

graph TD
    Internet((Internet)) --> FE["Frontend Pods"]
    FE --> API["API Pods"]
    API --> DB["#40;Database Pods#41;"]

    style FE fill:#4CAF50
    style API fill:#2196F3
    style DB fill:#9C27B0

Step 1: Default Deny in Production

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

Step 2: Allow Frontend to Talk to API

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-api
  namespace: production
spec:
  podSelector:
    matchLabels:
      tier: api
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              tier: frontend
      ports:
        - port: 8080

Step 3: Allow API to Talk to Database

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-api-to-db
  namespace: production
spec:
  podSelector:
    matchLabels:
      tier: database
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              tier: api
      ports:
        - port: 5432

🧠 Key Takeaways

Concept Remember This
Network Policy Security guard rules for Pods
Ingress Who can come IN
Egress Where can I go OUT
Pod Selector Match Pods by their labels
Namespace Selector Match Pods in specific namespaces
IP Block Match by IP address ranges
Default Deny Lock everything first, then allow specifically

🎉 You Did It!

You now understand how to:

  • ✅ Create rules for who can talk to your Pods
  • ✅ Use selectors to target specific Pods
  • ✅ Lock down your cluster with default deny policies

Remember: Network Policies are like good security guards—they only let the right people in and keep the troublemakers out! 🛡️

Loading story...

Story - Premium Content

Please sign in to view this story and start learning.

Upgrade to Premium to unlock full access to all stories.

Sign In to Access Get Premium Access Close

Stay Tuned!

Story is coming soon.

Story Preview

Story - Premium Content

Please sign in to view this concept and start learning.

Upgrade to Premium to unlock full access to all content.

Sign In to Access Get Premium Access Close