Network Security Policies
Deny all inbound traffic to a pod
Step1. Create a namespace called development to run this lab.
Step2. Create an example back-end pod that runs NGINX This back-end pod can be used to simulate a sample back-end web-based application.
Create this pod in the development namespace, and open port 80 to serve web traffic.
Label the pod with app=webapp,role=backend so that we can target it with a network policy.
Step3. Create another pod and attach a terminal session to test that you can successfully reach the default NGINX webpage:
Step4. At the shell prompt, use wget to confirm that you can access the default NGINX webpage:
Step5. Exit out of the attached terminal session. The test pod is automatically deleted.
Create and apply a network policy
Step6. Apply the network policy by using the kubectl apply command and specify the name of your YAML manifest:
Test the network policy
Let's see if you can use the NGINX webpage on the back-end pod again.
Step7. Create another test pod and attach a terminal session:
At the shell prompt, use wget to see if you can access the default NGINX webpage.
This time, set a timeout value to 2 seconds.
Step8. The network policy now blocks all inbound traffic, so the page can't be loaded, as shown in the following example:
Step9. Exit out of the attached terminal session. The test pod is automatically deleted.
Allow inbound traffic based on a pod label
Step10. Update the network policy to allow traffic from pods with the labels app:webapp,role:frontend and in any namespace
Step11. Schedule a pod that is labeled as app=webapp,role=frontend and attach a terminal session:
Step12. At the shell prompt, use wget to see if you can access the default NGINX webpage:
Because the ingress rule allows traffic with pods that have the labels app: webapp,role: frontend, the traffic from the front-end pod is allowed.
Step13. Exit out of the attached terminal session. The pod is automatically deleted.
Test a pod without a matching label
The network policy allows traffic from pods labeled app: webapp,role: frontend, but should deny all other traffic.
Let's test to see whether another pod without those labels can access the back-end NGINX pod.
Step14. Create another test pod and attach a terminal session:
At the shell prompt, use wget to see if you can access the default NGINX webpage.
Step15. The network policy blocks the inbound traffic, so the page can't be loaded, as shown in the following example:
Step16. Exit out of the attached terminal session. The test pod is automatically deleted.
Allow traffic only from within a defined namespace
Step17. First, create a new namespace to simulate a production namespace:
Create a POd in Production NameSpace
Step18. At the shell prompt, use wget to confirm that you can access the default NGINX webpage:
Because the labels for the pod match what is currently permitted in the network policy, the traffic is allowed.
The network policy doesn't look at the namespaces, only the pod labels
Step19. Exit out of the attached terminal session. The test pod is automatically deleted.
Allow Traffic in Between NameSpaces
Step20. Let's update the ingress rule namespaceSelector section to only allow traffic from within the development namespace.
Test the updated network policy
Step21. Schedule another pod in the production namespace and attach a terminal session:
Step22. At the shell prompt, use wget to see that the network policy now denies traffic:
Step23. Exit out of the test pod:
Step24. With traffic denied from the production namespace, schedule a test pod back in the development namespace and attach a terminal session:
Step25. At the shell prompt, use wget to see that the network policy allows the traffic:
Traffic is allowed because the pod is scheduled in the namespace that matches what's permitted in the network policy.
Step26. Exit out of the attached terminal session. The test pod is automatically deleted.
Clean up resources
To clean up these resources, use the kubectl delete command and specify the resource names:
Last updated