2 min read | by Jordi Prats
Network policies are objects that allows you to control the flow of connections to and from pods. By default all pods are completely open to all communications, but as soon as a pod is selected by a policy, it is no longer be considered open: just the connections allowed by the NetworkPolicy will be allowed
We can configure both directions:
The from and to selectors are used to allow ingress an egress traffic
Just as in the deployments, we can use labels to determine which Pods or namespaces the NetworkPolicy applies:
But we can also use IP ranges using:
As a simple example, the following NetworkPolicy is applied to all the Pods that have the label role=test. Allowing traffic from any to port 8080. Meanwhile, only the UDP/53, TCP/53, TCP/80 and TCP/443 is allowed for traffic originated on the Pod:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: demo-network-policy spec: podSelector: matchLabels: role: test ingress: - ports: - protocol: TCP port: 8080 egress: - to: - ipBlock: cidr: 0.0.0.0/0 ports: - protocol: TCP port: 53 - protocol: UDP port: 53 - protocol: TCP port: 80 - protocol: TCP port: 443 But we can combine different types of origins on the same NetworkPolicy. For example, the following one allows a specific network range (with an exception), a specific namespace and a set of Pods that matches a the label role=frontend:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: role: db policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 172.17.0.0/16 except: - 172.17.1.0/24 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 8888 Posted on 20/12/2021