If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), you might consider using Kubernetes NetworkPolicies for particular applications in your cluster. NetworkPolicies is an application-centric construct that allows you to specify how a pod is allowed to communicate with multiple network “entities” (we use the word “entity” here to avoid overloading more common terms like “endpoints” and “services,” which have Kubernetes-specific connotations) over the network. Network policies apply to a connection to a pod on one or both ends, and are not relevant to other connections.
The entities with which a Pod can communicate are identified through a combination of the following 3 identifiers
:Other pods allowed (exception: a
- pod cannot block access to itself
- Namespaces that are
- IP blocks (exception: traffic to and from the node where a Pod is running is always allowed, regardless of the IP address of the Pod or node)
When defining a pod- or namespace-based NetworkPolicy, a selector is used to specify what traffic is allowed to and from pods that match the selector.
Meanwhile, when creating IP-based network policies, we define policies based on IP blocks (CIDR ranges).
Network policies are implemented by the network plug-in. To use network policies, you must use a network solution that supports NetworkPolicy. Creating a NetworkPolicy resource without a driver implementing it will have no effect.
two types of insulation for a capsule: insulation for the outlet and insulation for the entrance. They refer to the connections that can be established. “Isolation” here is not absolute, but means “some restrictions apply.” The alternative, “not isolated to $direction”, means that no restrictions apply in the indicated direction. The two types of isolation (or not) are declared independently, and both are relevant to a connection from one pod to another.
By default, a pod is not isolated for output; all outbound connections are allowed. A pod is isolated for output if there is any NetworkPolicy that selects the pod and has “Egress” in its policyTypes; We say that such a policy applies to the pod for departure. When a pod is isolated for output, the only connections allowed from the pod are those allowed by the output list of some NetworkPolicy that is applied to the pod for output. The effects of those output lists are combined additively.
By default, a pod is not isolated for input; all incoming connections are allowed. A pod is isolated for input if there is any NetworkPolicy that selects the pod and has “Ingress” in its policyTypes; We say that such a policy applies to the capsule for entry. When a pod is isolated for input, the only connections allowed on the pod are those from the pod node and those allowed by some NetworkPolicy’s input list that applies to the pod for input. The effects of these entry lists are combined additively.
Network policies do not conflict; they are additive. If any policy or policies apply to a particular pod for a particular address, the connections allowed in that direction from that pod are the union of what the applicable policies allow. Therefore, the order of evaluation does not affect the outcome of the policy.
For a connection from a source pod to a destination pod to be allowed, both the output policy of the source pod and the
input policy of the destination pod must allow the connection. If either party does not allow the connection, it will not happen.
NetworkPolicy See the NetworkPolicy
reference for a complete definition of the resource
An example of NetworkPolicy might look like this
Required fields: As with all other Kubernetes configurations, a NetworkPolicy needs apiVersion, kind, and metadata fields. For general information about working with configuration files, see Configure a pod to use a ConfigMap and Object Management.
spec: The NetworkPolicy specification has all the information needed to define a particular network policy in the specified namespace.
podSelector: Each NetworkPolicy includes a podSelector that selects the pod grouping to which the policy applies. The example policy selects pods labeled “role=db”. An empty pod selects all pods in the namespace.
policyTypes: Each NetworkPolicy includes a policyTypes list that can include Ingress, Egress, or both. The policyTypes field indicates whether or not the given policy applies to traffic inbound to the selected pod, outbound traffic to the selected pods, or both. If policyTypes are not specified in a NetworkPolicy, by default Ingress and Egress will always be set if NetworkPolicy has outbound rules.
Ingress: Each NetworkPolicy may include a list of allowed login rules. Each rule allows traffic that matches the source and port sections. The example policy contains a single rule, which matches traffic on a single port, from one of three sources, the first specified through an ipBlock, the second through a namespaceSelector, and the third through a podSelector.
egress: Each NetworkPolicy can include a list of allowed outbound rules. Each rule allows traffic that matches the to and ports sections. The sample policy contains a single rule, which matches traffic on a single port to any destination at 10.0.0.0/24.
Therefore, the NetworkPolicy
:isolates role=db pods sample in the default namespace for inbound
and outbound traffic (if they were not already isolated) (inbound rules)
TCP port 6379 from:
any pod in the default namespace labeled
- role=frontend any pod in a namespace with
- 16 except 172.17.1.0
tag ip addresses in the ranges 172.17.0.0-172.17.0.255 and 172.17.2.0-172.17.255.255 (that is, all 172.17.0.0/
(Outbound Rules) allow connections from any pod in the default namespace labeled role=db to CIDR 10.0.0.0/24 on TCP port 5978
allows connections to all pods in the default namespace with the role=db tag on
See the Declare Network Policy tutorial for more examples.
Behavior of selectors to and from
There are four types of selectors that can be specified in an entry from
section or output
podSelector: This selects particular pods in the same namespace as NetworkPolicy that should be allowed as input sources or output destinations. namespaceSelector
: Selects particular namespaces for which all Pods should be allowed as input sources or output destinations.
namespaceSelector and podSelector: A single entry for/from specifying namespaceSelector and podSelector selects particular Pods within particular namespaces. Be careful to use the correct YAML syntax. For example:
This policy contains a single from element that allows connections from Pods labeled role=client in namespaces labeled user=alice. But the following policy is different:
It contains two elements in the from array and allows connections from Pods in the local namespace with the role=client tag, or from any Pod in any namespace tagged user=alice
When in doubt, use kubectl describes to see how Kubernetes has interpreted the policy.
ipBlock : Selects particular IP CIDR ranges to allow as input sources or output destinations. These must be IPs external to the cluster, as Pod IPs are ephemeral and unpredictable.
Cluster input and output mechanisms often require rewriting the source or destination IP of packets. In cases where this happens, it is not defined whether this happens before or after NetworkPolicy processing, and the behavior may be different for different combinations of network plugin, cloud provider, service deployment, etc.
In the case of input, this means that in some cases you can filter incoming packets based on the actual original source IP, while in other cases, the “source IP” that NetworkPolicy acts on may be the IP of a LoadBalancer or Pod node, etc.
For output, this means that pod-to-service IP connections that are rewritten to external cluster IPs may or may not be subject to ipBlock-based policies.
By default, if no policies exist in a namespace, all inbound and outbound traffic is allowed to and from pods in that namespace. The following examples allow you to change the default behavior in that namespace.
all inbound traffic by default You can create a “default” inbound isolation policy for a
namespace by creating a NetworkPolicy that selects all pods but does not allow any inbound traffic to those
This ensures that even pods that are not selected by any other NetworkPolicy remain isolated for entry. This policy does not affect isolation for the output of any pod.
Allow all inbound traffic
If you want to allow all incoming connections to all pods in a
namespace, you can create a policy that explicitly allows
With this policy in place, no additional policy or policies can cause any incoming connection to those pods to be denied. This policy has no effect on the isolation for the output of any pod.
all outbound traffic by default
You can create a “default” outbound isolation policy for a namespace by creating a NetworkPolicy that selects all pods but does not allow any outbound traffic from those
This ensures that even pods that are not selected by any other NetworkPolicy cannot exit traffic. This policy does not change the input isolation behavior of any pod.
Allow all outbound traffic
If you want to allow all connections from all pods in a namespace, you can create a policy that explicitly allows all outbound connections from
pods in that namespace
With this policy in place, no additional policy or policies can cause any outbound connections from those pods to be denied. This policy has no effect on isolation for entry to any pod.
all inbound and outbound traffic by default
You can create a “default” policy for a namespace that prevents all inbound and outbound traffic by creating the following NetworkPolicy in that namespace
This ensures that even pods that are not selected by any other NetworkPolicy will not be able to enter or exit traffic.
Support As a stable feature, it is enabled by default. To disable SCTP at a cluster level, you (or the cluster administrator) must disable the SCTPSupport feature gate for the API server with -feature-gates=SCTPSupport=false,…. When the feature gateway is enabled, you can set the protocol field of a NetworkPolicy to SCTP.
to a range of ports
When you write a network policy, you can target a range of ports instead of a single port
This can be achieved by using the endPort field, such as the following example:
The above rule allows any Pod with label role=db in the default namespace to communicate with any IP within the 10.0.0.0/24 range over TCP, as long as the destination port is between the range 32000 and 32768.
The following restrictions apply when using this field:
The endPort field must be
- equal to or greater than
- endPort can only be defined if the port is also defined
- Both ports must be numeric
the port field.
Target a namespace by name
The Kubernetes control plane sets an immutable label kubernetes.io/metadata.name across all namespaces. as long as the NamespaceDefaultLabelName feature gate is enabled. The tag value is the name of the namespace.
Although NetworkPolicy cannot target a namespace by name with any object field, it can use the standardized tag to target a specific namespace.
Starting with Kubernetes 1.27, the following functionality does not exist in the NetworkPolicy API, but you may be able to implement workarounds using operating system components (such as SELinux, OpenVSwitch, IPTables, etc.) or layer 7 technologies (ingress controllers, Service Mesh implementations) or intake controllers. In case you’re new to network security in Kubernetes, it’s worth noting that the following user stories can’t be deployed (yet) using the NetworkPolicy API.
- Force internal cluster traffic to pass through a common gateway (this might be best served with
- Anything related to TLS (use a service mesh or input handler for this).
- Node-specific policies (you can use CIDR notation for these, but you can’t target nodes by their Kubernetes identities specifically.)
- Segmentation of services by name (however, you can target pods or namespaces by their labels, which is usually a viable solution).
- Creation or management of “Policy Requests” that are fulfilled by a third party.
- Default policies that apply to all namespaces or pods (there are some third-party Kubernetes distributions and projects that can do this).
- Advanced consultation of accessibility policies and tools.
- The ability to log network security events (for example, blocked or accepted connections).
- to explicitly deny policies (currently the model for NetworkPolicies is deny by default, with only the ability to add permission rules).
- prevent loopback or incoming host traffic (pods cannot currently block access to the local host, nor do they have the ability to block access from their resident node).
a service mesh or other proxy).
The ability to
- Declare Network Policy tutorial for more examples. See more recipes for
- common scenarios enabled by the NetworkPolicy resource.