Network Security Policies
Deny all inbound traffic to a pod
Step1. Create a namespace called development to run this lab.
kubectl create namespace development
kubectl label namespace/development purpose=development
Step2. Create an example back-end pod that runs NGINX This back-end pod can be used to simulate a sample back-end web-based application.
Create this pod in the development namespace, and open port 80 to serve web traffic.
Label the pod with app=webapp,role=backend so that we can target it with a network policy.
kubectl run backend --image=mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine --labels app=webapp,role=backend --namespace development --expose --port 80
Step3. Create another pod and attach a terminal session to test that you can successfully reach the default NGINX webpage:
kubectl run frontend -it --image=busybox --restart=Never --rm --namespace development
Step4. At the shell prompt, use wget to confirm that you can access the default NGINX webpage:
wget -qO- http://backend
Step5. Exit out of the attached terminal session. The test pod is automatically deleted.
exit
Create and apply a network policy
Step6. Apply the network policy by using the kubectl apply command and specify the name of your YAML manifest:
kubectl apply -f https://raw.githubusercontent.com/nishanthkumarpathi/k8s-calico-istio-training/main/calico/ns-policies/backend-policy-deny.yaml
Test the network policy
Let's see if you can use the NGINX webpage on the back-end pod again.
Step7. Create another test pod and attach a terminal session:
kubectl run frontend -it --image=busybox --restart=Never --rm --namespace development
At the shell prompt, use wget to see if you can access the default NGINX webpage.
This time, set a timeout value to 2 seconds.
Step8. The network policy now blocks all inbound traffic, so the page can't be loaded, as shown in the following example:
wget -O- --timeout=2 --tries=1 http://backend
Step9. Exit out of the attached terminal session. The test pod is automatically deleted.
exit
Allow inbound traffic based on a pod label
Step10. Update the network policy to allow traffic from pods with the labels app:webapp,role:frontend and in any namespace
kubectl apply -f https://raw.githubusercontent.com/nishanthkumarpathi/k8s-calico-istio-training/main/calico/ns-policies/backend-policy-inbound-pod-label.yaml
Step11. Schedule a pod that is labeled as app=webapp,role=frontend and attach a terminal session:
kubectl run --rm -it frontend --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 --labels app=webapp,role=frontend --namespace development
Step12. At the shell prompt, use wget to see if you can access the default NGINX webpage:
wget -qO- http://backend
Because the ingress rule allows traffic with pods that have the labels app: webapp,role: frontend, the traffic from the front-end pod is allowed.
Step13. Exit out of the attached terminal session. The pod is automatically deleted.
exit
Test a pod without a matching label
The network policy allows traffic from pods labeled app: webapp,role: frontend, but should deny all other traffic.
Let's test to see whether another pod without those labels can access the back-end NGINX pod.
Step14. Create another test pod and attach a terminal session:
kubectl run --rm -it --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 network-policy --namespace development
At the shell prompt, use wget to see if you can access the default NGINX webpage.
Step15. The network policy blocks the inbound traffic, so the page can't be loaded, as shown in the following example:
wget -O- --timeout=2 --tries=1 http://backend
Step16. Exit out of the attached terminal session. The test pod is automatically deleted.
Allow traffic only from within a defined namespace
Step17. First, create a new namespace to simulate a production namespace:
kubectl create namespace production
kubectl label namespace/production purpose=production
Create a POd in Production NameSpace
kubectl run --rm -it frontend --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 --labels app=webapp,role=frontend --namespace production
Step18. At the shell prompt, use wget to confirm that you can access the default NGINX webpage:
wget -qO- http://backend.development
Because the labels for the pod match what is currently permitted in the network policy, the traffic is allowed.
The network policy doesn't look at the namespaces, only the pod labels
Step19. Exit out of the attached terminal session. The test pod is automatically deleted.
exit
Allow Traffic in Between NameSpaces
Step20. Let's update the ingress rule namespaceSelector section to only allow traffic from within the development namespace.
kubectl apply -f https://raw.githubusercontent.com/nishanthkumarpathi/k8s-calico-istio-training/main/calico/ns-policies/backend-policy-namespace.yaml
Test the updated network policy
Step21. Schedule another pod in the production namespace and attach a terminal session:
kubectl run --rm -it frontend --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 --labels app=webapp,role=frontend --namespace production
Step22. At the shell prompt, use wget to see that the network policy now denies traffic:
wget -O- --timeout=2 --tries=1 http://backend.development
Step23. Exit out of the test pod:
exit
Step24. With traffic denied from the production namespace, schedule a test pod back in the development namespace and attach a terminal session:
kubectl run --rm -it frontend --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 --labels app=webapp,role=frontend --namespace development
Step25. At the shell prompt, use wget to see that the network policy allows the traffic:
wget -qO- http://backend
Traffic is allowed because the pod is scheduled in the namespace that matches what's permitted in the network policy.
Step26. Exit out of the attached terminal session. The test pod is automatically deleted.
exit
Clean up resources
To clean up these resources, use the kubectl delete command and specify the resource names:
kubectl delete namespace production
kubectl delete namespace development
Last updated
Was this helpful?