Day 26 of 40daysofkubernetes : Kubernetes Network Policies

Kubernetes, being a powerful orchestration tool, provides a way to manage and enforce rules for network traffic within a cluster through Network Policies. In this blog, we'll explore what a Network Policy is, why it's essential, and how to create a KIND (Kubernetes IN Docker) cluster that supports Network Policies.

What is a Network Policy?

A Network Policy in Kubernetes is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. Network Policies use labels to select pods and define rules that specify the traffic that is allowed to and from those pods. These rules can be based on factors like the pod's namespace, the IP address, or the port number.

Network Policies are defined using YAML manifests and are applied at the namespace level. They help in controlling the flow of traffic at the IP address level, which is crucial for maintaining the security and efficiency of your cluster.

Why Do We Use a Network Policy in Kubernetes?

1. Security: By default, all pods in a Kubernetes cluster can communicate with each other. While this is convenient, it poses a security risk, especially in production environments. Network Policies allow you to restrict traffic to only what is necessary, minimizing the attack surface.

2. Compliance: Many organizations must comply with specific regulatory requirements regarding data protection and network security. Network Policies help enforce these requirements by controlling how data flows within the cluster.

3. Microservices Isolation: In a microservices architecture, different services often need to be isolated from each other for security and reliability reasons. Network Policies allow you to create boundaries between different microservices, ensuring that only the necessary services can communicate with each other.

4. Traffic Control: Network Policies allow you to control the ingress (incoming) and egress (outgoing) traffic for your applications. This can be used to ensure that only specific traffic can reach sensitive parts of your application, improving both security and performance.

Creating a KIND Cluster that Supports Network Policies

To experiment with Network Policies, you'll need a Kubernetes cluster that supports them. KIND (Kubernetes IN Docker) is a tool that lets you run Kubernetes clusters in Docker containers, making it an excellent choice for local development and testing.

Here's how to create a KIND cluster that supports Network Policies:

1. Install KIND: If you haven't already installed KIND, you can do so by running:

    codecurl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.18.0/kind-linux-amd64
    chmod +x ./kind
    sudo mv ./kind /usr/local/bin/kind
   

2. Create a KIND Configuration File: Create a file named kind-config.yaml with the following content:

    kind: Cluster
    apiVersion: kind.x-k8s.io/v1alpha4
    nodes:
    - role: control-plane
      extraPortMappings:
      - containerPort: 30001
        hostPort: 30001
    - role: worker
    - role: worker
    networking:
      disableDefaultCNI: true
      podSubnet: 192.168.0.0/16
   

   This configuration disables the default CNI (Container Network Interface) so that we can install a CNI that supports Network Policies.

3. Create the KIND Cluster: Use the following command to create the cluster:

    kind create cluster --config kind-cluster.yaml --name cka --image kindest/node:v1.30.0
   

4. Install a CNI Plugin: To enable Network Policies, you'll need a CNI plugin that supports them. Calico is a popular choice:

    kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.28.1/manifests/calico.yaml
   

    kubectl get pods -n kube-system
   

   You should see the Calico pods in a running state.

5. Deploy a Sample Application: Deploy a sample application to test the Network Policies:

    kubectl create deployment nginx --image=nginx
    kubectl expose deployment nginx --port=80
   

6. Create a Network Policy: Now, create a Network Policy to allow traffic only from a specific namespace:

    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      name: allow-nginx
      namespace: default
    spec:
      podSelector:
        matchLabels:
          app: nginx
      ingress:
      - from:
        - podSelector:
            matchLabels:
              role: frontend
        ports:
        - protocol: TCP
          port: 80
   

   Apply the policy with:

    kubectl apply -f network-policy.yaml
   

This Network Policy allows ingress traffic to the Nginx pods only from pods labeled with role: frontend and only on port 80.

Conclusion

Network Policies are a powerful tool in Kubernetes for managing and securing network traffic within a cluster. By defining which pods can communicate with each other, you can reduce the attack surface, ensure compliance, and improve the security of your applications. With KIND, you can easily set up a local Kubernetes environment to experiment with Network Policies before applying them in a production environment.

Reference:

https://www.youtube.com/watch?v=eVtnevr3Rao&list=PLl4APkPHzsUUOkOv3i62UidrLmSB8DcGC&index=27