Network policies in Kubernetes and use cases :)

NHAILA Achraf
4 min readApr 13

--

network policies in Kubernetes and use cases

We are going to mention the list of Network policies supported by Kubernetes & the use cases for each one.

1 — Network policies in Kubernetes

2 — list of Network policies supported by Kubernetes and implementation

IIngress, Egress, PodSelector, NamespaceSelector, CIDR, ports, ExternalTrafficPolicy…

— — — — — — — — — -

Ready? Here we go!!!

1 — Network policies in Kubernetes

Network policies in Kubernetes are like a special barrier around our house to keep people from entering. With network policies, we can control the traffic coming in and out of our application, ensuring that only the right types of traffic are allowed in.

2 — Here is a list of the major types of network policies supported by Kubernetes:

Ingress: Ingress network policies control incoming traffic to a pod. They allow you to specify which pods are allowed to receive traffic, and from which sources.

A simple example of how to implement Ingress :


apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress
spec:
podSelector: {}
ingress:
- from:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
#This example allows incoming traffic from the IP range 10.0.0.0/24 on ports 80 and 443.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

Egress: Egress network policies control outgoing traffic from a pod. They allow you to specify which pods are allowed to send traffic, and to which destinations.

A simple example of how to implement Egress :

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress
spec:
podSelector:
matchLabels:
app: frontend
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 443
#This example allows outgoing traffic from pods with the label app=frontend to the IP range 10.0.0.0/24 on port 443

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

PodSelector: PodSelector network policies control traffic to and from pods based on their labels. They allow you to specify which pods are affected by the policy based on their labels.

A simple example of how to implement PodSelector :

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-podselector
spec:
podSelector:
matchLabels:
app: FO
ingress:
- from:
- podSelector:
matchLabels:
app: BO
#This example allows incoming traffic from pods with the label app=BO to pods with the label app=FO.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

NamespaceSelector: NamespaceSelector network policies control traffic to and from namespaces based on their labels. They allow you to specify which namespaces are affected by the policy based on their labels.

A simple example of how to implement NamespaceSelector :

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-namespaceselector
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
env: staging
#This example allows incoming traffic from pods in namespaces with the label env=staging.

— — — — — — — — — — — — — — — — — — —

CIDR: CIDR network policies control traffic based on IP ranges. They allow you to specify which IP ranges are allowed or blocked from accessing your pods.

A simple example of how to implement CIDR :

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: block-iprange
spec:
podSelector:
matchLabels:
app: FO
ingress:
- from:
- ipBlock:
cidr: 192.168.0.0/16
#This example blocks incoming traffic from the IP range 192.168.0.0/16 to pods with the label app=FO.

________________________________________________________________

Ports: Ports network policies control traffic based on the ports used by your pods. They allow you to specify which ports are allowed or blocked from accessing your pods.

A simple example of how to implement Ports :

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ports
spec:
podSelector: {}
ingress:
- from:
- podSelector:
matchLabels:
app: BO
ports:
- protocol: TCP
port: 8080
ports:
- protocol: TCP
port: 80
#This example allows incoming traffic on port 80 and from pods with the label app=BO on port 8080.

ExternalTrafficPolicy: ExternalTrafficPolicy network policies control how traffic is routed to your pods. They allow you to specify whether traffic should be routed to nodes outside your cluster or only to nodes within your cluster.

A simple example of how to implement ExternalTrafficPolicy :

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-peer
spec:
podSelector:
matchLabels:
app: FO
ingress:
- from:
- podSelector:
matchLabels:
app: BO
ports:
- protocol: TCP
port: 80
egress:
- to:
- podSelector:
matchLabels:
app: BO
ports:
- protocol: TCP
port: 8080
#This example allows incoming traffic on port 80 from pods with the label app=BO to pods with the label app=FO, and allows outgoing traffic on port 8080 to pods with the label app=BO

These network policies can be combined and customized to create more complex policies as needed. They allow you to control traffic to and from your pods, improving the security and reliability of your application.

Hope this will help!
NHAILA Achraf

--

--

NHAILA Achraf

Devops software engineer