This document helps you get started using the Kubernetes NetworkPolicy API to declare network policies that govern how pods communicate with each other.
nginx
deployment and expose it via a servicenginx
serviceYou need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube, or you can use one of these Kubernetes playgrounds:
To check the version, enter kubectl version
.
Make sure you’ve configured a network provider with network policy support. There are a number of network providers that support NetworkPolicy, including:
Note: The above list is sorted alphabetically by product name, not by recommendation or preference. This example is valid for a Kubernetes cluster using any of these providers.
nginx
deployment and expose it via a serviceTo see how Kubernetes network policy works, start off by creating an nginx
deployment.
kubectl run nginx --image=nginx --replicas=2
deployment.apps/nginx created
And expose it via a service.
kubectl expose deployment nginx --port=80
service/nginx exposed
This runs two nginx
pods in the default namespace, and exposes them through a service called nginx
.
kubectl get svc,pod
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes 10.100.0.1 <none> 443/TCP 46m
service/nginx 10.100.0.16 <none> 80/TCP 33s
NAME READY STATUS RESTARTS AGE
pod/nginx-701339712-e0qfq 1/1 Running 0 35s
pod/nginx-701339712-o00ef 1/1 Running 0 35s
You should be able to access the new nginx
service from other pods. To test, access the service from another pod in the default namespace. Make sure you haven’t enabled isolation on the namespace.
Start a busybox container, and use wget
on the nginx
service:
kubectl run busybox --rm -ti --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
/ #
nginx
serviceLet’s say you want to limit access to the nginx
service so that only pods with the label access: true
can query it. To do that, create a NetworkPolicy
that allows connections only from those pods:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
spec:
podSelector:
matchLabels:
run: nginx
ingress:
- from:
- podSelector:
matchLabels:
access: "true"
Use kubectl to create a NetworkPolicy from the above nginx-policy.yaml file:
kubectl apply -f nginx-policy.yaml
networkpolicy.networking.k8s.io/access-nginx created
If we attempt to access the nginx Service from a pod without the correct labels, the request will now time out:
kubectl run busybox --rm -ti --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
wget: download timed out
/ #
Create a pod with the correct labels, and you’ll see that the request is allowed:
kubectl run busybox --rm -ti --labels="access=true" --image=busybox /bin/sh
Waiting for pod default/busybox-472357175-y0m47 to be running, status is Pending, pod ready: false
Hit enter for command prompt
/ # wget --spider --timeout=1 nginx
Connecting to nginx (10.100.0.16:80)
/ #
Was this page helpful?
Thanks for the feedback. If you have a specific, answerable question about how to use Kubernetes, ask it on Stack Overflow. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.