# Network Security Policies ### Deny all inbound traffic to a pod Step1. Create a namespace called development to run this lab. ```bash kubectl create namespace development ``` ```bash kubectl label namespace/development purpose=development ``` Step2. Create an example back-end pod that runs NGINX This back-end pod can be used to simulate a sample back-end web-based application. Create this pod in the development namespace, and open port 80 to serve web traffic. Label the pod with app=webapp,role=backend so that we can target it with a network policy. ```bash kubectl run backend --image=mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine --labels app=webapp,role=backend --namespace development --expose --port 80 ``` Step3. Create another pod and attach a terminal session to test that you can successfully reach the default NGINX webpage: ```bash kubectl run frontend -it --image=busybox --restart=Never --rm --namespace development ``` Step4. At the shell prompt, use wget to confirm that you can access the default NGINX webpage: ```bash wget -qO- http://backend ``` Step5. Exit out of the attached terminal session. The test pod is automatically deleted. ```bash exit ``` ### Create and apply a network policy Step6. Apply the network policy by using the kubectl apply command and specify the name of your YAML manifest: ```bash kubectl apply -f https://raw.githubusercontent.com/nishanthkumarpathi/k8s-calico-istio-training/main/calico/ns-policies/backend-policy-deny.yaml ``` ### Test the network policy Let's see if you can use the NGINX webpage on the back-end pod again. Step7. Create another test pod and attach a terminal session: ```bash kubectl run frontend -it --image=busybox --restart=Never --rm --namespace development ``` At the shell prompt, use wget to see if you can access the default NGINX webpage. This time, set a timeout value to 2 seconds. Step8. The network policy now blocks all inbound traffic, so the page can't be loaded, as shown in the following example: ```bash wget -O- --timeout=2 --tries=1 http://backend ``` Step9. Exit out of the attached terminal session. The test pod is automatically deleted. ```bash exit ``` ### Allow inbound traffic based on a pod label Step10. Update the network policy to allow traffic from pods with the labels app:webapp,role:frontend and in any namespace ```bash kubectl apply -f https://raw.githubusercontent.com/nishanthkumarpathi/k8s-calico-istio-training/main/calico/ns-policies/backend-policy-inbound-pod-label.yaml ``` Step11. Schedule a pod that is labeled as app=webapp,role=frontend and attach a terminal session: ```bash kubectl run --rm -it frontend --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 --labels app=webapp,role=frontend --namespace development ``` Step12. At the shell prompt, use wget to see if you can access the default NGINX webpage: ```bash wget -qO- http://backend ``` Because the ingress rule allows traffic with pods that have the labels app: webapp,role: frontend, the traffic from the front-end pod is allowed. Step13. Exit out of the attached terminal session. The pod is automatically deleted. ```bash exit ``` ### Test a pod without a matching label The network policy allows traffic from pods labeled app: webapp,role: frontend, but should deny all other traffic. Let's test to see whether another pod without those labels can access the back-end NGINX pod. Step14. Create another test pod and attach a terminal session: ```bash kubectl run --rm -it --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 network-policy --namespace development ``` At the shell prompt, use wget to see if you can access the default NGINX webpage. Step15. The network policy blocks the inbound traffic, so the page can't be loaded, as shown in the following example: ```bash wget -O- --timeout=2 --tries=1 http://backend ``` Step16. Exit out of the attached terminal session. The test pod is automatically deleted. ### Allow traffic only from within a defined namespace Step17. First, create a new namespace to simulate a production namespace: ```bash kubectl create namespace production ``` ```bash kubectl label namespace/production purpose=production ``` Create a POd in Production NameSpace ```bash kubectl run --rm -it frontend --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 --labels app=webapp,role=frontend --namespace production ``` Step18. At the shell prompt, use wget to confirm that you can access the default NGINX webpage: ```bash wget -qO- http://backend.development ``` Because the labels for the pod match what is currently permitted in the network policy, the traffic is allowed. The network policy doesn't look at the namespaces, only the pod labels Step19. Exit out of the attached terminal session. The test pod is automatically deleted. ```bash exit ``` ### Allow Traffic in Between NameSpaces Step20. Let's update the ingress rule namespaceSelector section to only allow traffic from within the development namespace. ```bash kubectl apply -f https://raw.githubusercontent.com/nishanthkumarpathi/k8s-calico-istio-training/main/calico/ns-policies/backend-policy-namespace.yaml ``` Test the updated network policy Step21. Schedule another pod in the production namespace and attach a terminal session: ```bash kubectl run --rm -it frontend --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 --labels app=webapp,role=frontend --namespace production ``` Step22. At the shell prompt, use wget to see that the network policy now denies traffic: ```bash wget -O- --timeout=2 --tries=1 http://backend.development ``` Step23. Exit out of the test pod: ```bash exit ``` Step24. With traffic denied from the production namespace, schedule a test pod back in the development namespace and attach a terminal session: ```bash kubectl run --rm -it frontend --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 --labels app=webapp,role=frontend --namespace development ``` Step25. At the shell prompt, use wget to see that the network policy allows the traffic: ```bash wget -qO- http://backend ``` Traffic is allowed because the pod is scheduled in the namespace that matches what's permitted in the network policy. Step26. Exit out of the attached terminal session. The test pod is automatically deleted. ```bash exit ``` ### Clean up resources To clean up these resources, use the kubectl delete command and specify the resource names: ```bash kubectl delete namespace production ``` ```bash kubectl delete namespace development ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://nishanthkp.gitbook.io/kubernetes-security-with-calico-and-istio/calico/ns-policy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.