Creating a network policy

As a user with the admin role, you can create a network policy for a namespace.

Example NetworkPolicy object

The following annotates an example NetworkPolicy object:

  1. kind: NetworkPolicy
  2. apiVersion: networking.k8s.io/v1
  3. metadata:
  4. name: allow-27107 (1)
  5. spec:
  6. podSelector: (2)
  7. matchLabels:
  8. app: mongodb
  9. ingress:
  10. - from:
  11. - podSelector: (3)
  12. matchLabels:
  13. app: app
  14. ports: (4)
  15. - protocol: TCP
  16. port: 27017
1The name of the NetworkPolicy object.
2A selector that describes the pods to which the policy applies. The policy object can only select pods in the project that defines the NetworkPolicy object.
3A selector that matches the pods from which the policy object allows ingress traffic. The selector matches pods in the same namespace as the NetworkPolicy.
4A list of one or more destination ports on which to accept traffic.

Creating a network policy using the CLI

To define granular rules describing ingress or egress network traffic allowed for namespaces in your cluster, you can create a network policy.

If you log in with a user with the cluster-admin role, then you can create a network policy in any namespace in the cluster.

Prerequisites

  • Your cluster uses a network plugin that supports NetworkPolicy objects, such as the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with admin privileges.

  • You are working in the namespace that the network policy applies to.

Procedure

  1. Create a policy rule:

    1. Create a <policy_name>.yaml file:

      1. $ touch <policy_name>.yaml

      where:

      <policy_name>

      Specifies the network policy file name.

    2. Define a network policy in the file that you just created, such as in the following examples:

      Deny ingress from all pods in all namespaces

      This is a fundamental policy, blocking all cross-pod networking other than cross-pod traffic allowed by the configuration of other Network Policies.

      1. kind: NetworkPolicy
      2. apiVersion: networking.k8s.io/v1
      3. metadata:
      4. name: deny-by-default
      5. spec:
      6. podSelector:
      7. ingress: []

      Allow ingress from all pods in the same namespace

      1. kind: NetworkPolicy
      2. apiVersion: networking.k8s.io/v1
      3. metadata:
      4. name: allow-same-namespace
      5. spec:
      6. podSelector:
      7. ingress:
      8. - from:
      9. - podSelector: {}

      Allow ingress traffic to one pod from a particular namespace

      This policy allows traffic to pods labelled pod-a from pods running in namespace-y.

      1. kind: NetworkPolicy
      2. apiVersion: networking.k8s.io/v1
      3. metadata:
      4. name: allow-traffic-pod
      5. spec:
      6. podSelector:
      7. matchLabels:
      8. pod: pod-a
      9. policyTypes:
      10. - Ingress
      11. ingress:
      12. - from:
      13. - namespaceSelector:
      14. matchLabels:
      15. kubernetes.io/metadata.name: namespace-y
  2. To create the network policy object, enter the following command:

    1. $ oc apply -f <policy_name>.yaml -n <namespace>

    where:

    <policy_name>

    Specifies the network policy file name.

    <namespace>

    Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

    Example output

    1. networkpolicy.networking.k8s.io/deny-by-default created

If you log in to the web console with cluster-admin privileges, you have a choice of creating a network policy in any namespace in the cluster directly in YAML or from a form in the web console.

Creating a default deny all network policy

This is a fundamental policy, blocking all cross-pod networking other than network traffic allowed by the configuration of other deployed network policies. This procedure enforces a default deny-by-default policy.

If you log in with a user with the cluster-admin role, then you can create a network policy in any namespace in the cluster.

Prerequisites

  • Your cluster uses a network plugin that supports NetworkPolicy objects, such as the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with admin privileges.

  • You are working in the namespace that the network policy applies to.

Procedure

  1. Create the following YAML that defines a deny-by-default policy to deny ingress from all pods in all namespaces. Save the YAML in the deny-by-default.yaml file:

    1. kind: NetworkPolicy
    2. apiVersion: networking.k8s.io/v1
    3. metadata:
    4. name: deny-by-default
    5. namespace: default (1)
    6. spec:
    7. podSelector: {} (2)
    8. ingress: [] (3)
    1namespace: default deploys this policy to the default namespace.
    2podSelector: is empty, this means it matches all the pods. Therefore, the policy applies to all pods in the default namespace.
    3There are no ingress rules specified. This causes incoming traffic to be dropped to all pods.
  2. Apply the policy by entering the following command:

    1. $ oc apply -f deny-by-default.yaml

    Example output

    1. networkpolicy.networking.k8s.io/deny-by-default created

Creating a network policy to allow traffic from external clients

With the deny-by-default policy in place you can proceed to configure a policy that allows traffic from external clients to a pod with the label app=web.

If you log in with a user with the cluster-admin role, then you can create a network policy in any namespace in the cluster.

Follow this procedure to configure a policy that allows external service from the public Internet directly or by using a Load Balancer to access the pod. Traffic is only allowed to a pod with the label app=web.

Prerequisites

  • Your cluster uses a network plugin that supports NetworkPolicy objects, such as the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with admin privileges.

  • You are working in the namespace that the network policy applies to.

Procedure

  1. Create a policy that allows traffic from the public Internet directly or by using a load balancer to access the pod. Save the YAML in the web-allow-external.yaml file:

    1. kind: NetworkPolicy
    2. apiVersion: networking.k8s.io/v1
    3. metadata:
    4. name: web-allow-external
    5. namespace: default
    6. spec:
    7. policyTypes:
    8. - Ingress
    9. podSelector:
    10. matchLabels:
    11. app: web
    12. ingress:
    13. - {}
  2. Apply the policy by entering the following command:

    1. $ oc apply -f web-allow-external.yaml

    Example output

    1. networkpolicy.networking.k8s.io/web-allow-external created

This policy allows traffic from all resources, including external traffic as illustrated in the following diagram:

Allow traffic from external clients

Creating a network policy allowing traffic to an application from all namespaces

If you log in with a user with the cluster-admin role, then you can create a network policy in any namespace in the cluster.

Follow this procedure to configure a policy that allows traffic from all pods in all namespaces to a particular application.

Prerequisites

  • Your cluster uses a network plugin that supports NetworkPolicy objects, such as the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with admin privileges.

  • You are working in the namespace that the network policy applies to.

Procedure

  1. Create a policy that allows traffic from all pods in all namespaces to a particular application. Save the YAML in the web-allow-all-namespaces.yaml file:

    1. kind: NetworkPolicy
    2. apiVersion: networking.k8s.io/v1
    3. metadata:
    4. name: web-allow-all-namespaces
    5. namespace: default
    6. spec:
    7. podSelector:
    8. matchLabels:
    9. app: web (1)
    10. policyTypes:
    11. - Ingress
    12. ingress:
    13. - from:
    14. - namespaceSelector: {} (2)
    1Applies the policy only to app:web pods in default namespace.
    2Selects all pods in all namespaces.

    By default, if you omit specifying a namespaceSelector it does not select any namespaces, which means the policy allows traffic only from the namespace the network policy is deployed to.

  2. Apply the policy by entering the following command:

    1. $ oc apply -f web-allow-all-namespaces.yaml

    Example output

    1. networkpolicy.networking.k8s.io/web-allow-all-namespaces created

Verification

  1. Start a web service in the default namespace by entering the following command:

    1. $ oc run web --namespace=default --image=nginx --labels="app=web" --expose --port=80
  2. Run the following command to deploy an alpine image in the secondary namespace and to start a shell:

    1. $ oc run test-$RANDOM --namespace=secondary --rm -i -t --image=alpine -- sh
  3. Run the following command in the shell and observe that the request is allowed:

    1. # wget -qO- --timeout=2 http://web.default

    Expected output

    1. <!DOCTYPE html>
    2. <html>
    3. <head>
    4. <title>Welcome to nginx!</title>
    5. <style>
    6. html { color-scheme: light dark; }
    7. body { width: 35em; margin: 0 auto;
    8. font-family: Tahoma, Verdana, Arial, sans-serif; }
    9. </style>
    10. </head>
    11. <body>
    12. <h1>Welcome to nginx!</h1>
    13. <p>If you see this page, the nginx web server is successfully installed and
    14. working. Further configuration is required.</p>
    15. <p>For online documentation and support please refer to
    16. <a href="http://nginx.org/">nginx.org</a>.<br/>
    17. Commercial support is available at
    18. <a href="http://nginx.com/">nginx.com</a>.</p>
    19. <p><em>Thank you for using nginx.</em></p>
    20. </body>
    21. </html>

Creating a network policy allowing traffic to an application from a namespace

If you log in with a user with the cluster-admin role, then you can create a network policy in any namespace in the cluster.

Follow this procedure to configure a policy that allows traffic to a pod with the label app=web from a particular namespace. You might want to do this to:

  • Restrict traffic to a production database only to namespaces where production workloads are deployed.

  • Enable monitoring tools deployed to a particular namespace to scrape metrics from the current namespace.

Prerequisites

  • Your cluster uses a network plugin that supports NetworkPolicy objects, such as the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with admin privileges.

  • You are working in the namespace that the network policy applies to.

Procedure

  1. Create a policy that allows traffic from all pods in a particular namespaces with a label purpose=production. Save the YAML in the web-allow-prod.yaml file:

    1. kind: NetworkPolicy
    2. apiVersion: networking.k8s.io/v1
    3. metadata:
    4. name: web-allow-prod
    5. namespace: default
    6. spec:
    7. podSelector:
    8. matchLabels:
    9. app: web (1)
    10. policyTypes:
    11. - Ingress
    12. ingress:
    13. - from:
    14. - namespaceSelector:
    15. matchLabels:
    16. purpose: production (2)
    1Applies the policy only to app:web pods in the default namespace.
    2Restricts traffic to only pods in namespaces that have the label purpose=production.
  2. Apply the policy by entering the following command:

    1. $ oc apply -f web-allow-prod.yaml

    Example output

    1. networkpolicy.networking.k8s.io/web-allow-prod created

Verification

  1. Start a web service in the default namespace by entering the following command:

    1. $ oc run web --namespace=default --image=nginx --labels="app=web" --expose --port=80
  2. Run the following command to create the prod namespace:

    1. $ oc create namespace prod
  3. Run the following command to label the prod namespace:

    1. $ oc label namespace/prod purpose=production
  4. Run the following command to create the dev namespace:

    1. $ oc create namespace dev
  5. Run the following command to label the dev namespace:

    1. $ oc label namespace/dev purpose=testing
  6. Run the following command to deploy an alpine image in the dev namespace and to start a shell:

    1. $ oc run test-$RANDOM --namespace=dev --rm -i -t --image=alpine -- sh
  7. Run the following command in the shell and observe that the request is blocked:

    1. # wget -qO- --timeout=2 http://web.default

    Expected output

    1. wget: download timed out
  8. Run the following command to deploy an alpine image in the prod namespace and start a shell:

    1. $ oc run test-$RANDOM --namespace=prod --rm -i -t --image=alpine -- sh
  9. Run the following command in the shell and observe that the request is allowed:

    1. # wget -qO- --timeout=2 http://web.default

    Expected output

    1. <!DOCTYPE html>
    2. <html>
    3. <head>
    4. <title>Welcome to nginx!</title>
    5. <style>
    6. html { color-scheme: light dark; }
    7. body { width: 35em; margin: 0 auto;
    8. font-family: Tahoma, Verdana, Arial, sans-serif; }
    9. </style>
    10. </head>
    11. <body>
    12. <h1>Welcome to nginx!</h1>
    13. <p>If you see this page, the nginx web server is successfully installed and
    14. working. Further configuration is required.</p>
    15. <p>For online documentation and support please refer to
    16. <a href="http://nginx.org/">nginx.org</a>.<br/>
    17. Commercial support is available at
    18. <a href="http://nginx.com/">nginx.com</a>.</p>
    19. <p><em>Thank you for using nginx.</em></p>
    20. </body>
    21. </html>

Additional resources