lostinopensrc Blogs!
Case of Kubernetes Network Policy

Photo by JJ Ying on Unsplash

Case of Kubernetes Network Policy

Gaurav's photo
Gaurav
·

3 min read

Overview:

In Kubernetes Network Policy allow you to control traffic flow at the IP address/ Port level (OSI Layer 3 or 4)

Network Policies allow you to specify rules for traffic flow within your cluster, and also between Pods and the outside world. Your cluster must use a network plugin that supports Network Policy enforcement.

Prerequisite:

Network policies are implemented by the network plugin. To use network policies, you must be using a networking solution which supports Network Policy.

Creating a Network Policy resource without a controller that implements it will have no effect.

Example Implementation:

NOTE: For Layer 7 based network policy advance 3rd party solutions can be considered example cilium which is not covered in this article.

Below demonstrates an Example of Implementing Network policy which uses Calico as Network plugin on KillerKoda Environment: https://killercoda.com/playgrounds/scenario/kubernetes

1) CREATE TWO NAMESPACES:

controlplane $ kubectl create ns dev1
namespace/dev1 created

controlplane $ kubectl create ns dev2
namespace/dev2 created

2) Run nginx under both namespaces.

controlplane $ kubectl run nginx1 --image=nginx -n dev1
pod/nginx1 created

controlplane $ kubectl run nginx2 --image=nginx -n dev2
pod/nginx2 created

3) Display the Nginx pods under Both namespaces:

controlplane $ kubectl get all -n dev1 -o wide 
NAME         READY   STATUS    RESTARTS   AGE   IP            NODE     NOMINATED NODE   READINESS GATES
pod/nginx1   1/1     Running   0          38s   192.168.1.4   node01   <none>           <none>

controlplane $ kubectl get all -n dev2 -o wide 
NAME         READY   STATUS    RESTARTS   AGE   IP            NODE     NOMINATED NODE   READINESS GATES
pod/nginx2   1/1     Running   0          21s   192.168.1.5   node01   <none>           <none>

4) Without Network Policy: Communication between pods under two namespaces are allowed.

controlplane $ kubectl exec -n dev1 nginx1 -- curl 192.168.1.5

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   615  100   615    0     0   208k      0 --:--:-- --:--:-- --:--:--  300k

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

5) Implementation of Network Policy:

CASE1: Network Policy on dev2 namespace with no Ingress allowed at all: 

controlplane $ cat << EOF | kubectl apply -f -
> apiVersion: networking.k8s.io/v1
> kind: NetworkPolicy
> metadata:
>   name: deny-all
>   namespace: dev2
> spec:
>   podSelector: {}
>   policyTypes:
>   - Ingress
> EOF

controlplane $ kubectl get networkpolicy -n dev2
NAME       POD-SELECTOR   AGE
deny-all   <none>         9s

CASE1 Result : 

controlplane $ kubectl exec -n dev1 nginx1 -- curl 192.168.1.5
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:02:10 --:--:--     0

curl: (28) Failed to connect to 192.168.1.5 port 80 after 130314 ms: Couldn't connect to server.


CASE2: With Network Policy applied on dev2 namespace with ingress allowed only from dev1 namespace on port 80.

cat << EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: kube-demo
  namespace: dev2
spec:
  podSelector: {}
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: dev1
    ports:
    - protocol: TCP
      port: 80
EOF

CASE2 Results:

controlplane $ kubectl exec -n dev1 nginx1 -- curl 192.168.1.5
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   615  100   615    0     0   303k      0 --:--:-- --:--:-- --:--:--  600k
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
Kuberneteskubernetes network policies