Govur University Logo
--> --> --> -->
Govur University Logo
Sign In
...
Home All Courses Engineering and Technology Courses Certified Kubernetes Administrator (CKA) Flashcard

Explain how NetworkPolicies function in Kubernetes and provide an example of a policy that isolates traffic between two namespaces.



NetworkPolicies in Kubernetes provide a means to control the network traffic between Pods. By default, all Pods in a Kubernetes cluster can communicate with each other without any restrictions. NetworkPolicies allow you to create firewall-like rules that specify which Pods can communicate with which other Pods (or network endpoints), thereby enhancing the security of your cluster by isolating different applications or components.

NetworkPolicies operate at Layer 3 (IP addresses) and Layer 4 (TCP, UDP ports) of the OSI model. They are namespace-scoped, meaning that a NetworkPolicy applies only to the Pods within the namespace where it is defined. NetworkPolicies are implemented by a network plugin, such as Calico, Cilium, or Weave Net, which must be installed and configured in your Kubernetes cluster to enforce the policies.

A NetworkPolicy consists of the following components:

1. `podSelector`: This specifies the set of Pods to which the policy applies. It uses labels to select the target Pods.

2. `policyTypes`: This specifies whether the policy applies to ingress (incoming traffic) or egress (outgoing traffic) or both.

3. `ingress`: This defines the rules for incoming traffic. It specifies which sources (Pods, namespaces, or IP blocks) are allowed to send traffic to the selected Pods.

4. `egress`: This defines the rules for outgoing traffic. It specifies which destinations (Pods, namespaces, or IP blocks) are allowed to receive traffic from the selected Pods.

Here's an example of a NetworkPolicy that isolates traffic between two namespaces: `namespace-a` and `namespace-b`. We want to prevent Pods in `namespace-a` from communicating with Pods in `namespace-b`, and vice versa.

First, we'll create a default-deny NetworkPolicy in each namespace. This policy will deny all incoming and outgoing traffic by default.

NetworkPolicy for `namespace-a`:

```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: namespace-a
spec:
podSelector: {} # Selects all Pods in the namespace
policyTypes:
- Ingress
- Egress
```

This policy selects all Pods in `namespace-a` (using an empty `podSelector`) and applies to both ingress and egress traffic. Since no `ingress` or `egress` rules are defined, all traffic is denied by default.

NetworkPolicy for `namespace-b`:

```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: namespace-b
spec:
podSelector: {} # Selects all Pods in the namespace
policyTypes:
- Ingress
- Egress
```

This policy is similar to the one for `namespace-a`, but it applies to Pods in `namespace-b`.

To apply these policies, save them as `namespace-a-default-deny.yaml` and `namespace-b-default-deny.yaml`, and then run:

```bash
kubectl apply -f namespace-a-default-deny.yaml
kubectl apply -f namespace-b-default-deny.yaml
```

After applying these policies, Pods in `namespace-a` and `namespace-b` will no longer be able to communicate with each other. They will also be isolated from other Pods in the cluster, unless specific rules are created to allow traffic.

To allow traffic between Pods within the same namespace, you can create additional NetworkPolicies that allow ingress and egress traffic based on labels. For example, to allow Pods with the label `app: my-app` in `namespace-a` to communicate with each other, you can create the following policy:

```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-same-namespace
namespace: namespace-a
spec:
podSelector:
matchLabels:
app: my-app
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: my-app
egress:
- to:
- podSelector:
matchLabels:
app: my-app
```

This policy allows Pods with the label `app: my-app` in `namespace-a` to receive traffic from and send traffic to other Pods with the same label in the same namespace.

By combining default-deny policies with more specific allow policies, you can create a robust and granular network security posture for your Kubernetes cluster.