Network Security Policies
Deny all inbound traffic to a pod
Step1. Create a namespace called development to run this lab.
kubectl create namespace developmentkubectl label namespace/development purpose=developmentStep2. Create an example back-end pod that runs NGINX This back-end pod can be used to simulate a sample back-end web-based application.
Create this pod in the development namespace, and open port 80 to serve web traffic.
Label the pod with app=webapp,role=backend so that we can target it with a network policy.
kubectl run backend --image=mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine --labels app=webapp,role=backend --namespace development --expose --port 80Step3. Create another pod and attach a terminal session to test that you can successfully reach the default NGINX webpage:
kubectl run frontend -it --image=busybox --restart=Never --rm --namespace developmentStep4. At the shell prompt, use wget to confirm that you can access the default NGINX webpage:
wget -qO- http://backendStep5. Exit out of the attached terminal session. The test pod is automatically deleted.
exitCreate and apply a network policy
Step6. Apply the network policy by using the kubectl apply command and specify the name of your YAML manifest:
kubectl apply -f https://raw.githubusercontent.com/nishanthkumarpathi/k8s-calico-istio-training/main/calico/ns-policies/backend-policy-deny.yamlTest the network policy
Let's see if you can use the NGINX webpage on the back-end pod again.
Step7. Create another test pod and attach a terminal session:
kubectl run frontend -it --image=busybox --restart=Never --rm --namespace developmentAt the shell prompt, use wget to see if you can access the default NGINX webpage.
This time, set a timeout value to 2 seconds.
Step8. The network policy now blocks all inbound traffic, so the page can't be loaded, as shown in the following example:
wget -O- --timeout=2 --tries=1 http://backendStep9. Exit out of the attached terminal session. The test pod is automatically deleted.
exitAllow inbound traffic based on a pod label
Step10. Update the network policy to allow traffic from pods with the labels app:webapp,role:frontend and in any namespace
kubectl apply -f https://raw.githubusercontent.com/nishanthkumarpathi/k8s-calico-istio-training/main/calico/ns-policies/backend-policy-inbound-pod-label.yamlStep11. Schedule a pod that is labeled as app=webapp,role=frontend and attach a terminal session:
kubectl run --rm -it frontend --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 --labels app=webapp,role=frontend --namespace developmentStep12. At the shell prompt, use wget to see if you can access the default NGINX webpage:
wget -qO- http://backendBecause the ingress rule allows traffic with pods that have the labels app: webapp,role: frontend, the traffic from the front-end pod is allowed.
Step13. Exit out of the attached terminal session. The pod is automatically deleted.
exitTest a pod without a matching label
The network policy allows traffic from pods labeled app: webapp,role: frontend, but should deny all other traffic.
Let's test to see whether another pod without those labels can access the back-end NGINX pod.
Step14. Create another test pod and attach a terminal session:
kubectl run --rm -it --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 network-policy --namespace developmentAt the shell prompt, use wget to see if you can access the default NGINX webpage.
Step15. The network policy blocks the inbound traffic, so the page can't be loaded, as shown in the following example:
wget -O- --timeout=2 --tries=1 http://backendStep16. Exit out of the attached terminal session. The test pod is automatically deleted.
Allow traffic only from within a defined namespace
Step17. First, create a new namespace to simulate a production namespace:
kubectl create namespace productionkubectl label namespace/production purpose=productionCreate a POd in Production NameSpace
kubectl run --rm -it frontend --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 --labels app=webapp,role=frontend --namespace productionStep18. At the shell prompt, use wget to confirm that you can access the default NGINX webpage:
wget -qO- http://backend.developmentBecause the labels for the pod match what is currently permitted in the network policy, the traffic is allowed.
The network policy doesn't look at the namespaces, only the pod labels
Step19. Exit out of the attached terminal session. The test pod is automatically deleted.
exitAllow Traffic in Between NameSpaces
Step20. Let's update the ingress rule namespaceSelector section to only allow traffic from within the development namespace.
kubectl apply -f https://raw.githubusercontent.com/nishanthkumarpathi/k8s-calico-istio-training/main/calico/ns-policies/backend-policy-namespace.yamlTest the updated network policy
Step21. Schedule another pod in the production namespace and attach a terminal session:
kubectl run --rm -it frontend --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 --labels app=webapp,role=frontend --namespace productionStep22. At the shell prompt, use wget to see that the network policy now denies traffic:
wget -O- --timeout=2 --tries=1 http://backend.developmentStep23. Exit out of the test pod:
exitStep24. With traffic denied from the production namespace, schedule a test pod back in the development namespace and attach a terminal session:
kubectl run --rm -it frontend --image=mcr.microsoft.com/aks/fundamental/base-ubuntu:v0.0.11 --labels app=webapp,role=frontend --namespace developmentStep25. At the shell prompt, use wget to see that the network policy allows the traffic:
wget -qO- http://backendTraffic is allowed because the pod is scheduled in the namespace that matches what's permitted in the network policy.
Step26. Exit out of the attached terminal session. The test pod is automatically deleted.
exitClean up resources
To clean up these resources, use the kubectl delete command and specify the resource names:
kubectl delete namespace productionkubectl delete namespace developmentLast updated
Was this helpful?