pbabbott/netpol.md

## netpol.md

      
    Raw
  

              netpol.md
            
          
    Examples

Basic Netpol Setup

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: netpol-name-goes-here
  namespace: media
spec:
  ...
Block all inbound traffic

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: block-all-inbound
  namespace: media
spec:
  podSelector: {}         # 1- selects all pods in the namespace
  policyTypes: [Ingress]  # 2- are we talking about inbound (or outbond) traffic to (or from) a pod
  ingress: []             # 3 - no rules => deny everything!
Allow all inbound traffic

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all-inbound
  namespace: media
spec:
  podSelector: {}         # 1 - selects all pods in the namespace
  policyTypes: [Ingress]  # 2 - are we talking about inbound (or outbond) traffic to (or from) a pod
  ingress:                # 3- defines the ways in which communication can happen to a pod.
    - {}                  # empty object means a rule has been defined to allow EVERYTHING!
ONLY allow traffic to a pod on a specific port


imagine there is a pod called nginx with port 80 in the namespace blog

has a label called app=blog


imagine there's other pods in this blog namespace too

has a label called app=email-notifications
a pod has been set up to send emails to the readers each week!


apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-only-port-80-for-the-blog
  namespace: blog
spec:
  # step 1 - select a pod
  podSelector:
    matchLabels:
      app: blog           # find a pod in the namespace blog, where the label is app=blog

  # step 2 - define traffic to or from the pod
  policyTypes: [Ingress]

  # step 3 - define how this traffic should behave
  ingress:
    - ports:
      - protocol: TCP
        port: 80  
Brandon's homelab fui-component example

Only allow traffic from the ingress-nginx namespace on port 80.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: fui-components-restrictive
  namespace: fui-components
spec:
  podSelector: {}         # step 1 - select all pods in the namespace fui-components
  policyTypes:            # step 2 - define - are we talking about inbound outbound or both?
    - Ingress
    - Egress
  ingress:               #  step 3 - define how traffic comes in
    - from:              # one rule: from a namespace called ingress-nginx AND port 80
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: ingress-nginx
      ports:
        - protocol: TCP
          port: 80
  egress: []             # no rules.... deny all!
Brandon's homelab fui-component example (MODIFIED)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: fui-components-restrictive
  namespace: fui-components
spec:
  podSelector: {}         
  policyTypes:            
    - Ingress
    - Egress
  ingress:               
    - from:              
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: ingress-nginx
    - ports:                                                # i added an extra tick here!!! what does this do??
        - protocol: TCP
          port: 80
  egress: []             

Adding the extra tick in front of ports...
ingress now has 2 rules instead of 1
the first rule says allow traffic from ingress-nginx namespace
the 2nd rule says allow traffic on port 80
adding the extra tick changed the AND to an OR

As written commands


step 1 figure out how k create netpol works...

... is this even possible?
For CKAD


Go to docs.kubernetes.io
search for netpol
find this page: https://kubernetes.io/docs/concepts/services-networking/network-policies/
copy/paste netpol code into a yaml file
k apply -f ./my-net-pol.yaml

Steps

Step 1 - choose which pods are affected
Step 2 - are we talking about ingress, egress, or both?
Step 3 - define rules for how traffic should behave in/out/or both.
No results found