An effective network security rule starts with denying all traffic by default unless explicitly allowed. This is how firewalls work. By default, Kubernetes regards any pod that is not selected by a NetworkPolicy as “non-isolated”. This means all ingress and egress traffic is allowed. So, a good foundation is to deny all traffic by default unless a NetworkPolicy rule defines which connections should pass. A NetworkPolicy definition for denying all ingress traffic may look like this:
git clone https://github.com/collabnix/kubelabs.git
cd kubelabs/Network_Policies101/
- We’ll use a new namespace for this guide. Run the following commands to create it and a plain nginx service listening on port 80.
kubectl create ns network-policy-demo
kubectl run --namespace=network-policy-demo nginx --replicas=2 --image=nginx
kubectl expose --namespace=network-policy-demo deployment nginx --port=80
- Create the busy box pod to test policy access.
[node1 ~]$ kubectl run --generator=run-pod/v1 --namespace=network-policy-demo access --rm -ti --image busybox /bin/sh
If you don't see a command prompt, try pressing enter.
/ #
- Now from within the busybox “access” pod execute the following command to test access to the nginx service.
wget -q --timeout=5 nginx -O -
It should return the HTML of the nginx welcome page.
- Still within the busybox “access” pod, issue the following command to test access to google.com.
wget -q --timeout=5 google.com -O -
It should return the HTML of the google.com home page.
kubectl apply -f default-deny-ingress.yaml
Because all pods in the namespace are now selected, any ingress traffic which is not explicitly allowed by a policy will be denied.
We can see that this is the case by switching over to our “access” pod in the namespace and attempting to access the nginx service.
kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh
/ # wget -q --timeout=5 nginx -O -
wget: download timed out
/ #
Next, try to access google.com.
wget -q --timeout=5 google.com -O -
<!doctype html><html itemscope="" itemt
We can see that the ingress access to the nginx service is denied while egress access to outbound internet is still allowed.
- Cleanup step
You can clean up after this tutorial by deleting the network-policy-demo namespace.
kubectl delete ns network-policy-demo