Creating a network policy

As a user with the admin role, you can create a network policy for a namespace.

Creating a network policy

To define granular rules describing ingress or egress network traffic allowed for namespaces in your cluster, you can create a network policy.

If you log in with a user with the cluster-admin role, then you can create a network policy in any namespace in the cluster.

Prerequisites

  • Your cluster uses a cluster network provider that supports NetworkPolicy objects, such as the OVN-Kubernetes network provider or the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with admin privileges.

  • You are working in the namespace that the network policy applies to.

Procedure

  1. Create a policy rule:

    1. Create a <policy_name>.yaml file:

      1. $ touch <policy_name>.yaml

      where:

      <policy_name>

      Specifies the network policy file name.

    2. Define a network policy in the file that you just created, such as in the following examples:

      Deny ingress from all pods in all namespaces

      1. kind: NetworkPolicy
      2. apiVersion: networking.k8s.io/v1
      3. metadata:
      4.   name: deny-by-default
      5. spec:
      6.   podSelector:
      7.   ingress: []

      Allow ingress from all pods in the same namespace

      1. kind: NetworkPolicy
      2. apiVersion: networking.k8s.io/v1
      3. metadata:
      4.   name: allow-same-namespace
      5. spec:
      6.   podSelector:
      7.   ingress:
      8.   - from:
      9.     - podSelector: {}

  2. To create the network policy object, enter the following command:

    1. $ oc apply -f <policy_name>.yaml -n <namespace>

    where:

    <policy_name>

    Specifies the network policy file name.

    <namespace>

    Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

    Example output

    1. networkpolicy "default-deny" created

Example NetworkPolicy object

The following annotates an example NetworkPolicy object:

  1. kind: NetworkPolicy
  2. apiVersion: networking.k8s.io/v1
  3. metadata:
  4.   name: allow-27107 (1)
  5. spec:
  6.   podSelector: (2)
  7.     matchLabels:
  8.       app: mongodb
  9.   ingress:
  10.   - from:
  11.     - podSelector: (3)
  12.         matchLabels:
  13.           app: app
  14.     ports: (4)
  15.     - protocol: TCP
  16.       port: 27017
1The name of the NetworkPolicy object.
2A selector describing the pods the policy applies to. The policy object can only select pods in the project that the NetworkPolicy object is defined.
3A selector matching the pods that the policy object allows ingress traffic from. The selector will match pods in any project.
4A list of one or more destination ports to accept traffic on.