Declare Network Policy
This document helps you get started using the Kubernetes NetworkPolicy API to declare network policies that govern how pods communicate with each other.
- Before you begin
- Create an
nginxdeployment and expose it via a service - Test the service by accessing it from another Pod
- Limit access to the
nginxservice - Assign the policy to the service
- Test access to the service when access label is not defined
- Define access label and test again
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube, or you can use one of these Kubernetes playgrounds:
Your Kubernetes server must be at or later than version v1.8.
To check the version, enter kubectl version.
Make sure you’ve configured a network provider with network policy support. There are a number of network providers that support NetworkPolicy, including:
Note: The above list is sorted alphabetically by product name, not by recommendation or preference. This example is valid for a Kubernetes cluster using any of these providers.
Create an nginx deployment and expose it via a service
To see how Kubernetes network policy works, start off by creating an nginx Deployment.
kubectl create deployment nginx --image=nginxdeployment.apps/nginx createdExpose the Deployment through a Service called nginx.
kubectl expose deployment nginx --port=80service/nginx exposedThe above commands create a Deployment with an nginx Pod and expose the Deployment through a Service named nginx. The nginx Pod and Deployment are found in the default namespace.
kubectl get svc,podNAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes 10.100.0.1 <none> 443/TCP 46m
service/nginx 10.100.0.16 <none> 80/TCP 33s
NAME READY STATUS RESTARTS AGE
pod/nginx-701339712-e0qfq 1/1 Running 0 35sTest the service by accessing it from another Pod
You should be able to access the new nginx service from other Pods. To access the nginx Service from another Pod in the default namespace, start a busybox container:
kubectl run --generator=run-pod/v1 busybox --rm -ti --image=busybox -- /bin/shIn your shell, run the following command:
wget --spider --timeout=1 nginxConnecting to nginx (10.100.0.16:80)
remote file existsLimit access to the nginx service
To limit the access to the nginx service so that only Pods with the label access: true can query it, create a NetworkPolicy object as follows:
service/networking/nginx-policy.yaml
|
|---|
|
The name of a NetworkPolicy object must be a valid DNS subdomain name.
Note: NetworkPolicy includes apodSelectorwhich selects the grouping of Pods to which the policy applies. You can see this policy selects Pods with the labelapp=nginx. The label was automatically added to the Pod in thenginxDeployment. An emptypodSelectorselects all pods in the namespace.
Assign the policy to the service
Use kubectl to create a NetworkPolicy from the above nginx-policy.yaml file:
kubectl apply -f https://k8s.io/examples/service/networking/nginx-policy.yamlnetworkpolicy.networking.k8s.io/access-nginx createdTest access to the service when access label is not defined
When you attempt to access the nginx Service from a Pod without the correct labels, the request times out:
kubectl run --generator=run-pod/v1 busybox --rm -ti --image=busybox -- /bin/shIn your shell, run the command:
wget --spider --timeout=1 nginxConnecting to nginx (10.100.0.16:80)
wget: download timed outDefine access label and test again
You can create a Pod with the correct labels to see that the request is allowed:
kubectl run --generator=run-pod/v1 busybox --rm -ti --labels="access=true" --image=busybox -- /bin/shIn your shell, run the command:
wget --spider --timeout=1 nginxConnecting to nginx (10.100.0.16:80)
remote file existsFeedback
Was this page helpful?
Thanks for the feedback. If you have a specific, answerable question about how to use Kubernetes, ask it on Stack Overflow. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.
Page last modified on March 05, 2020 at 11:28 AM PST by
Resource name constraints (4) (#19121) (Page History)