Network Policies in Kubernetes

Ashutosh MahajanAshutosh Mahajan
3 min read

Table of contents

🗼Introduction

In the world of Kubernetes, managing and securing network traffic between pods is crucial for maintaining a robust and secure application environment. This is where Network Policies come into play. This blog will delve into the concept of Network Policies, their importance, and provide a practical example to help you get started.

🗼What are Network Policies?

Network Policies in Kubernetes are objects within a namespace that define how groups of pods are allowed to communicate with each other and other network endpoints. Essentially, they control the traffic flow at the IP address or port level. You can link network policies to one or more pods to manage ingress (incoming) and egress (outgoing) traffic, enhancing the security and organization of your Kubernetes cluster.

🗼Why Use Network Policies?

  • Security: Limit exposure of sensitive pods by restricting which pods can communicate with them.

  • Micro-segmentation: Create isolated segments within the Kubernetes cluster, ensuring that different applications or environments (e.g., development and production) do not interfere with each other.

  • Compliance: Ensure that communication patterns comply with organizational or regulatory requirements.

🗼Defining Network Policies

Network Policies are defined using YAML files. They specify rules for ingress and egress traffic for selected pods, identified by labels. A typical Network Policy consists of three main sections:

  • Pod Selector: Specifies the pods to which the policy applies.

  • Policy Types: Defines whether the policy applies to ingress, egress, or both.

  • Rules: Contains the actual rules defining allowed traffic.

🎗️Basic Structure of a Network Policy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: network-policy
  namespace: dev
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 3306
  egress:
  - to:
    - podSelector:
        matchLabels:
          role: backend
    ports:
    - protocol: TCP
      port: 8080

🎗️Practical Example

Let’s walk through a practical example of implementing a Network Policy in Kubernetes. We will create a policy that restricts access to a database pod.

🎗️Scenario

We have three types of pods:

  1. frontend: Handles user requests.

  2. backend: Processes business logic.

  3. database: Stores data.

The goal is to allow only the frontend pods to communicate with the database pods on port 3306, and only the backend pods to communicate with external services on port 8080.

🎗️Step to Implementation Network Policy

  1. Label the Pods: Ensure each pod is labeled appropriately.
kubectl label pod frontend-pod-1 role=frontend
kubectl label pod backend-pod-1 role=backend
kubectl label pod database-pod-1 role=db
  1. Create the Network Policy: Define and apply the network policy using a YAML file.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: db-access
  namespace: dev
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 3306

Apply the policy:

kubectl apply -f db-access.yaml
  1. Test the Policy: Verify that only frontend pods can access the database pods on port 3306.
  • Attempt access from a frontend pod:
kubectl exec -it frontend-pod-1 -- nc -zv database-pod-1 3306
  • Attempt access from a backend pod:
kubectl exec -it backend-pod-1 -- nc -zv database-pod-1 3306

nc:- It stands for Netcat.

-vz Options are used for specific purposes.

By following these steps, we have successfully restricted access to the database pods, enhancing the security of our Kubernetes cluster.

🗼Conclusion

Network Policies in Kubernetes are a powerful tool for managing and securing network traffic between pods. By defining clear rules and linking them to specific pods, you can ensure that your application components communicate only as intended. This not only boosts security but also helps in maintaining a clean and organized network structure within your cluster.

Implementing Network Policies might seem complex at first, but with practical examples and careful planning, you can leverage their full potential to secure your Kubernetes deployments.

0
Subscribe to my newsletter

Read articles from Ashutosh Mahajan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

egresskubernetes network policiesKubernetesingressconnectivity

Written by

Ashutosh Mahajan
Ashutosh Mahajan

Proficient in variety of DevOps technologies, including AWS, Linux, Shell Scripting, Python, Docker, Terraform, Jenkins and Computer Networking. They have strong ability to troubleshoot and resolve issues and are consistently motivated to expand their knowledge and skills through expantion of new technologies.