Home / How To / Network policy in Kubernetes

Network policy in Kubernetes



By default, skis accept traffic from all sources. A network policy helps you specify how a group of podcasts can communicate with each other and other network endpoints. NetworkPolicy uses labels to select skis and define rules to specify which traffic is allowed for the selected skis When there is a NetworkPolicy applied to a particular pod, this pod rejects connections that are not allowed NetworkPolicy. The pods that have not been selected by any NetworkPolicy continue to accept all traffic.

If you want to know more about NetworkPolicy in detail, visit Kubernete’s official page here.

In this article we see the use of Ingress and Egress NetworkPolicy where ingress is incoming traffic to the pod and egress outgoing traffic from the pod.

Conditions

  1. Kubernetes Cluster with at least 1 working node.
    Click here to learn how to create a Kubernetes cluster. This guide will help you create a Kubernetes cluster with 1 Master and 2 Nodes on AWS Ubuntu 18.04 EC2 instances.

What should we do?

  1. Create network policies

Create network policies

Ingress Network Policy

Create a hello web pod with a label “app-destination-pod” and a service where we allow incoming traffic in port 8080.

kubectl run hello-web --labels app=destination-pod --image=gcr.io/google-samples/hello-app:1.0 --port 8080 --
kubectl get pod | grep hello-web

kubectl get service | grep hello-web

creat-a-pod-and-a-service

Create an introductory definition file with the following content that allows traffic to the “hello-web” pod labeled “app = destinations-pod” on port 8080 from the pod that matches the label “app = source-pod”.

vim ingress.yml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: destination-pod-allow-from-source-pod
spec:
  policyTypes:
  - Ingress
  podSelector:
    matchLabels:
      app: destination-pod
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: source-pod

penetration network policy-defination

Before we create an introductory policy, create a pod labeled “app = unknown” that does not match the policy rule.

kubectl run -l app=unknown --image=alpine --restart=Never --rm -i -t test-1

When we try to reach our “hello-web” pod on port 8080 from this pod, the pod will be available.

wget -qO- --timeout=2 http://hello-web:8080

create-an-unknown-pod

Now create a policy that allows connection to pod with the label “app = destination-pod” from pod with the label “app = source-pod” and get details about it.

kubectl apply -f ingress.yml
kubectl get networkpolicy destination-pod-allow-from-source-pod

create-ingress-network policy

Now create a pod with a label that does not match the rule defined in the policy.

kubectl run -l app=unknown --image=alpine --restart=Never --rm -i -t test-1

If we try to access the “hello-web” podcast from this pod again, the “hello-web” podcast will not be reached.

wget -qO- --timeout=2 http://hello-web:8080

Try access-from-unknown-pod

This time, let’s create a pod that matches the network policy rule, ie. pod labeled “app = source-app”

kubectl run -l app=source-pod --image=alpine --restart=Never --rm -i -t test-1

If we try to reach the “hello-web” pod from the pod with the label “app = source-pod”, the “hello-web” can be reached.

wget -qO- --timeout=2 http://hello-web:8080

Try access-from-known-pod

In the screenshot above, you can see that the “hello-web” pod was available from the pod labeled “app = source-pod”. This means that we have limited connections on our “hejwebb” and that only skis with the label “app = source-pod” can connect to it.

Egress Network Policy

Create a new Egress Network Policy file with the following content.

vim egress.yml
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: source-pod-allow-to-destination-pod
spec:
  policyTypes:
  - Egress
  podSelector:
    matchLabels:
      app: source-pod
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: destination-pod
  - ports:
    - port: 53
      protocol: TCP
    - port: 53
      protocol: UDP

Egress network policy-defination

The above policy allows outbound connections from pod with the label “app = source-pod” to pod with the label “app = destination-pod” and also on port 53 for DNS resolution.

Before we apply Egress Policy in the cluster, create a pod “hello-web-2” and service that does not comply with our policy.

kubectl run hello-web-2 --labels app=hello-2 --image=gcr.io/google-samples/hello-app:1.0 --port 8080 --expose
kubectl get pod | grep hello-web-2
kubectl get service | grep hello-web-2

create-unknown-application

Now create a pod labeled “app = source-pod”.advertisement

kubectl run -l app=source-pod --image=alpine --restart=Never --rm -i -t test-2

Before using the Egress policy, both the “hello-web” and “hello-web-2” apps can be accessed from the pod labeled “app = source-pod”

wget -qO- --timeout=2 http://hello-web:8080
wget -qO- --timeout=2 http://hello-web-2:8080

access to unknow programs available

Now create a network policy with the egress rule.

kubectl create -f egress.yml
kubectl get networkpolicy | grep source-pod-allow-to-destination-pod

create-egress network policy

Let’s create a pod labeled “app = source-pod” and try to access both pod “app = source-pod”

kubectl run -l app=source-pod --image=alpine --restart=Never --rm -i -t test-3

wget -qO- – timeout = 2 http: // hallo-web: 8080

wget -qO- --timeout=2 http://hello-web-2:8080

access to unknown application not available

In the screenshot above, you may notice that this time pod “hello-web-2” could not be accessed because it does not match the egress policy that allows connection from a pod labeled “app = source-pod” to pod labeled “app = destination- pod “.

Conclusion

In this article, we looked at the steps to create an introductory and egress network policy. We also saw how the incoming and outgoing connection can be limited with each preamble and egress and to better understand this we saw its implementation with a simple web app.


Source link