This document helps you get started using using the Kubernetes NetworkPolicy API to declare network policies that govern how pods communicate with each other.
nginx
deployment and expose it via a servicenginx
serviceYou’ll need to have a Kubernetes cluster in place, with network policy support. There are a number of network providers that support NetworkPolicy, including:
Note: The above list is sorted alphabetically by product name, not by recommendation or preference. This example is valid for a Kubernetes cluster using any of these providers.
nginx
deployment and expose it via a serviceTo see how Kubernetes network policy works, start off by creating an nginx
deployment and exposing it via a service.
$ kubectl run nginx --image=nginx --replicas=2
deployment "nginx" created
$ kubectl expose deployment nginx --port=80
service "nginx" exposed
This runs two nginx
pods in the default namespace, and exposes them through a service called nginx
.
$ kubectl get svc,pod
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc/kubernetes 10.100.0.1 <none> 443/TCP 46m
svc/nginx 10.100.0.16 <none> 80/TCP 33s
NAME READY STATUS RESTARTS AGE
po/nginx-701339712-e0qfq 1/1 Running 0 35s
po/nginx-701339712-o00ef 1/1 Running 0 35s
You should be able to access the new nginx
service from other pods. To test, access the service from another pod in the default namespace. Make sure you haven’t enabled isolation on the namespace.
Start a busybox container, and use wget
on the nginx
service:
$ kubectl run busybox --rm -ti --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
/ #
nginx
serviceLet’s say you want to limit access to the nginx
service so that only pods with the label access: true
can query it. The first step is to enable ingress isolation on the default
namespace. This prevents any pods from accessing the nginx
service.
$ kubectl annotate ns default "net.beta.kubernetes.io/network-policy={\"ingress\": {\"isolation\": \"DefaultDeny\"}}"
Test to see that with ingress isolation in place, you no longer have access to the nginx
service:
$ kubectl run busybox --rm -ti --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
wget: download timed out
/ #
Next, create a NetworkPolicy
that allows connections from pods with the label access: true
.
kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx
ingress:
- from:
- podSelector:
matchLabels:
access: "true"
Use kubectl to create a NetworkPolicy from the above nginx-policy.yaml file:
console
$ kubectl create -f nginx-policy.yaml
networkpolicy "access-nginx" created
If we attempt to access the nginx Service from a pod without the correct labels, the request will still time out:
$ kubectl run busybox --rm -ti --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
wget: download timed out
/ #
Create a pod with the correct labels, and you’ll see that the request is allowed:
$ kubectl run busybox --rm -ti --labels="access=true" --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
/ #
Learn more about kubectl proxy.
Create an Issue Edit this Page