{"id":521794,"date":"2022-12-06T04:48:51","date_gmt":"2022-12-06T01:48:51","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/securing-kubernetes-cluster-traffic-with-pod-network-policies\/"},"modified":"2022-12-06T04:48:51","modified_gmt":"2022-12-06T01:48:51","slug":"securing-kubernetes-cluster-traffic-with-pod-network-policies","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/securing-kubernetes-cluster-traffic-with-pod-network-policies\/","title":{"rendered":"#Securing Kubernetes Cluster Traffic With Pod Network Policies"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2ec9328b06a\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2ec9328b06a\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/securing-kubernetes-cluster-traffic-with-pod-network-policies\/#%E2%80%9CSecuring_Kubernetes_Cluster_Traffic_With_Pod_Network_Policies%E2%80%9D\" >&#8220;Securing Kubernetes Cluster Traffic With Pod Network Policies&#8221;<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/securing-kubernetes-cluster-traffic-with-pod-network-policies\/#Creating_a_Network_Policy\" >Creating a Network Policy<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/securing-kubernetes-cluster-traffic-with-pod-network-policies\/#How_Network_Policies_Work\" >How Network Policies Work<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/securing-kubernetes-cluster-traffic-with-pod-network-policies\/#Example_Network_Policies\" >Example Network Policies<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/securing-kubernetes-cluster-traffic-with-pod-network-policies\/#Apply_a_policy_to_every_Pod_in_the_namespace_only_allowing_Ingress_traffic_from_a_specific_IP_address_block\" >Apply a policy to every Pod in the namespace, only allowing Ingress traffic from a specific IP address block<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/securing-kubernetes-cluster-traffic-with-pod-network-policies\/#Allow_Ingress_traffic_from_an_IP_address_block_but_exclude_some_specific_IPs\" >Allow Ingress traffic from an IP address block, but exclude some specific IPs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/securing-kubernetes-cluster-traffic-with-pod-network-policies\/#Allow_Ingress_traffic_from_all_Pods_in_the_namespace_but_only_from_a_specific_port\" >Allow Ingress traffic from all Pods in the namespace, but only from a specific port<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/buradabiliyorum.com\/en\/securing-kubernetes-cluster-traffic-with-pod-network-policies\/#Allow_traffic_from_Pods_with_a_specific_label_that_exist_in_a_different_namespace\" >Allow traffic from Pods with a specific label that exist in a different namespace<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/buradabiliyorum.com\/en\/securing-kubernetes-cluster-traffic-with-pod-network-policies\/#Explicitly_allow_all_traffic\" >Explicitly allow all traffic<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/buradabiliyorum.com\/en\/securing-kubernetes-cluster-traffic-with-pod-network-policies\/#When_to_Use_Network_Policies\" >When to Use Network Policies<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/buradabiliyorum.com\/en\/securing-kubernetes-cluster-traffic-with-pod-network-policies\/#Summary\" >Summary<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9CSecuring_Kubernetes_Cluster_Traffic_With_Pod_Network_Policies%E2%80%9D\"><\/span>&#8220;Securing Kubernetes Cluster Traffic With Pod Network Policies&#8221;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<div>\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage alignnone size-full wp-image-803403\" data-pagespeed-no-defer=\"\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/05\/Kubernetes.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Kubernetes logo\" width=\"1602\" height=\"902\"\/><\/p>\n<p>Kubernetes Pods can freely communicate with each other by default. This poses a security risk when your cluster\u2019s used for multiple <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lications or teams. Errant behavior or malicious access in one Pod could direct traffic to the other Pods in your cluster.<\/p>\n<p>This article will teach you how to avoid this scenario by setting up <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/kubernetes.io\/docs\/concepts\/services-networking\/network-policies\">network policies<\/a>. These rules let you control Pod-to-Pod traffic flows at the IP address level (OSI layer 3 or 4). You can precisely define the ingress and egress sources permitted for each Pod.<\/p>\n<h2 id=\"creating-a-network-policy\"><span class=\"ez-toc-section\" id=\"Creating_a_Network_Policy\"><\/span>Creating a Network Policy<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Network policies are created by adding <code>NetworkPolicy<\/code> objects to your cluster. Each policy defines the Pods it applies to and one or more ingress and egress rules. Here\u2019s a basic policy manifest:<\/p>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><strong class=\"co3\">apiVersion<\/strong><strong class=\"sy2\">: <\/strong>networking.k8s.io\/v1<strong class=\"co3\">\nkind<\/strong><strong class=\"sy2\">: <\/strong>NetworkPolicy<strong class=\"co4\">\nmetadata<\/strong>:<strong class=\"co3\">\n  name<\/strong><strong class=\"sy2\">: <\/strong>network-policy<strong class=\"co3\">\n  namespace<\/strong><strong class=\"sy2\">: <\/strong>app<strong class=\"co4\">\nspec<\/strong>:<strong class=\"co4\">\n  podSelector<\/strong>:<strong class=\"co4\">\n    matchLabels<\/strong>:<strong class=\"co3\">\n      component<\/strong><strong class=\"sy2\">: <\/strong>database<strong class=\"co4\">\n  policyTypes<\/strong><strong class=\"sy2\">:\n<\/strong>    - Ingress\n    - Egress<strong class=\"co4\">\n  ingress<\/strong>:<strong class=\"co4\">\n    - from<\/strong>:<strong class=\"co4\">\n      - podSelector<\/strong>:<strong class=\"co4\">\n          matchLabels<\/strong>:<strong class=\"co3\">\n            component<\/strong><strong class=\"sy2\">: <\/strong>api<strong class=\"co4\">\n  egress<\/strong>:<strong class=\"co4\">\n    - to<\/strong>:<strong class=\"co4\">\n        - podSelector<\/strong>:<strong class=\"co4\">\n            matchLabels<\/strong>:<strong class=\"co3\">\n              component<\/strong><strong class=\"sy2\">: <\/strong>api<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>This network policy applies to any Pod with a <code>component: database<\/code> label in the <code>app<\/code> namespace. It states that ingress (incoming) and egress (outgoing) traffic is only allowed from and to Pods with a <code>component: api<\/code> label. Any requests originating from other Pods, such as <code>component: web-frontend<\/code>, will be blocked.<\/p>\n<p>Network policies can be applied like any other object by using Kubectl. They\u2019ll take effect im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>tely after they\u2019re created. You can add the networking policy before you start the Pods it selects.<\/p>\n<pre>$ kubectl apply -f policy.yaml&#13;\nnetworkingpolicy.networking.k8s.io\/network-policy created<\/pre>\n<h2 id=\"how-network-policies-work\"><span class=\"ez-toc-section\" id=\"How_Network_Policies_Work\"><\/span>How Network Policies Work<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Network policies are implemented by your cluster\u2019s active <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/kubernetes.io\/docs\/concepts\/extend-kubernetes\/compute-storage-net\/network-plugins\">networking plugin<\/a>. Your policies won\u2019t have any effect if your plugin doesn\u2019t support the feature. Most popular options such as <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/network-policy-provider\/calico-network-policy\">Calico<\/a> and <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/network-policy-provider\/cilium-network-policy\">Cilium<\/a> ship with network policy support enabled.<\/p>\n<p>When a network policy applies to a Pod, the plugin will inspect its traffic to check it\u2019s compliant with the policy\u2019s requirements. Any connections that don\u2019t meet the criteria will be disallowed. The Pod that tried to initiate the connection will find the remote host is unreachable, either because it was trying to access a resource blocked by an egress rule, or because a remote Pod denied the incoming connection using an ingress rule.<\/p>\n<p>A successful connection between two Pods can only be established when the network policies on <em>both<\/em> of them permit it. The connection could be forbidden by an egress rule of the initiating Pod, or an ingress rule on the target.<\/p>\n<p>Network policies are always <em>additive<\/em> in nature. When multiple policies select the same Pod, the list of permitted ingress and egress sources will be the combination of all the policies.<\/p>\n<h2 id=\"example-network-policies\"><span class=\"ez-toc-section\" id=\"Example_Network_Policies\"><\/span>Example Network Policies<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Network policies support many different options for customizing the Pods they target and the types of connection that are allowed. The following examples showcase several common use cases.<\/p>\n<h3 id=\"apply-a-policy-to-every-pod-in-the-namespace-only-allowing-ingress-traffic-from-a-specific-ip-address-block\"><span class=\"ez-toc-section\" id=\"Apply_a_policy_to_every_Pod_in_the_namespace_only_allowing_Ingress_traffic_from_a_specific_IP_address_block\"><\/span>Apply a policy to every Pod in the namespace, only allowing Ingress traffic from a specific IP address block<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><strong class=\"co3\">apiVersion<\/strong><strong class=\"sy2\">: <\/strong>networking.k8s.io\/v1<strong class=\"co3\">\nkind<\/strong><strong class=\"sy2\">: <\/strong>NetworkPolicy<strong class=\"co4\">\nmetadata<\/strong>:<strong class=\"co3\">\n  name<\/strong><strong class=\"sy2\">: <\/strong>network-policy<strong class=\"co3\">\n  namespace<\/strong><strong class=\"sy2\">: <\/strong>app<strong class=\"co4\">\nspec<\/strong>:<strong class=\"co3\">\n  podSelector<\/strong><strong class=\"sy2\">: <\/strong><strong class=\"br0\">{<\/strong><strong class=\"br0\">}<\/strong><strong class=\"co4\">\n  policyTypes<\/strong><strong class=\"sy2\">:\n<\/strong>    - Ingress<strong class=\"co4\">\n  ingress<\/strong>:<strong class=\"co4\">\n    - from<\/strong>:<strong class=\"co4\">\n        - ipBlock<\/strong>:<strong class=\"co3\">\n            cidr<\/strong><strong class=\"sy2\">: <\/strong>172.17.0.0\/16<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>The empty <code>podSelector<\/code> block means all the namespace\u2019s Pods are targeted by the policy. The <code>ipBlock<\/code> rule restricts ingress traffic to Pods with an IP address in the specified range. Egress traffic is not blocked.<\/p>\n<h3 id=\"allow-ingress-traffic-from-an-ip-address-block-but-exclude-some-specific-ips\"><span class=\"ez-toc-section\" id=\"Allow_Ingress_traffic_from_an_IP_address_block_but_exclude_some_specific_IPs\"><\/span>Allow Ingress traffic from an IP address block, but exclude some specific IPs<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><strong class=\"co3\">apiVersion<\/strong><strong class=\"sy2\">: <\/strong>networking.k8s.io\/v1<strong class=\"co3\">\nkind<\/strong><strong class=\"sy2\">: <\/strong>NetworkPolicy<strong class=\"co4\">\nmetadata<\/strong>:<strong class=\"co3\">\n  name<\/strong><strong class=\"sy2\">: <\/strong>network-policy<strong class=\"co3\">\n  namespace<\/strong><strong class=\"sy2\">: <\/strong>app<strong class=\"co4\">\nspec<\/strong>:<strong class=\"co3\">\n  podSelector<\/strong><strong class=\"sy2\">: <\/strong><strong class=\"br0\">{<\/strong><strong class=\"br0\">}<\/strong><strong class=\"co4\">\n  policyTypes<\/strong><strong class=\"sy2\">:\n<\/strong>    - Ingress<strong class=\"co4\">\n  ingress<\/strong>:<strong class=\"co4\">\n    - from<\/strong>:<strong class=\"co4\">\n        - ipBlock<\/strong>:<strong class=\"co3\">\n            cidr<\/strong><strong class=\"sy2\">: <\/strong>172.17.0.0\/16<strong class=\"co4\">\n            except<\/strong><strong class=\"sy2\">:\n<\/strong>              - 172.17.0.1\/24\n              - 172.17.0.2\/24\n              - 172.17.0.3\/24<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p><code>ipBlock<\/code> rules support an <code>except<\/code> field to exclude traffic originating from, or being directed to, specific IPs.<\/p>\n<h3 id=\"allow-ingress-traffic-from-all-pods-in-the-namespace-but-only-from-a-specific-port\"><span class=\"ez-toc-section\" id=\"Allow_Ingress_traffic_from_all_Pods_in_the_namespace_but_only_from_a_specific_port\"><\/span>Allow Ingress traffic from all Pods in the namespace, but only from a specific port<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><strong class=\"co3\">apiVersion<\/strong><strong class=\"sy2\">: <\/strong>networking.k8s.io\/v1<strong class=\"co3\">\nkind<\/strong><strong class=\"sy2\">: <\/strong>NetworkPolicy<strong class=\"co4\">\nmetadata<\/strong>:<strong class=\"co3\">\n  name<\/strong><strong class=\"sy2\">: <\/strong>network-policy<strong class=\"co3\">\n  namespace<\/strong><strong class=\"sy2\">: <\/strong>app<strong class=\"co4\">\nspec<\/strong>:<strong class=\"co3\">\n  podSelector<\/strong><strong class=\"sy2\">: <\/strong><strong class=\"br0\">{<\/strong><strong class=\"br0\">}<\/strong><strong class=\"co4\">\n  policyTypes<\/strong><strong class=\"sy2\">:\n<\/strong>    - Ingress<strong class=\"co4\">\n  ingress<\/strong>:<strong class=\"co4\">\n    - from<\/strong>:<strong class=\"co3\">\n        - podSelector<\/strong><strong class=\"sy2\">: <\/strong><strong class=\"br0\">{<\/strong><strong class=\"br0\">}<\/strong><strong class=\"co4\">\n          ports<\/strong>:<strong class=\"co3\">\n            - protocol<\/strong><strong class=\"sy2\">: <\/strong>TCP<strong class=\"co3\">\n              port<\/strong><strong class=\"sy2\">: <\/strong>443<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>The <code>ports<\/code> field is available on ingress and egress rules. It defines the ports that traffic can be received from and sent to. You can optionally specify a range of ports, such as 3000 \u2013 3500, by setting the <code>endPort<\/code> field (3500) in addition to <code>port<\/code> (3000).<\/p>\n<h3 id=\"allow-traffic-from-pods-with-a-specific-label-that-exist-in-a-different-namespace\"><span class=\"ez-toc-section\" id=\"Allow_traffic_from_Pods_with_a_specific_label_that_exist_in_a_different_namespace\"><\/span>Allow traffic from Pods with a specific label that exist in a different namespace<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><strong class=\"co3\">apiVersion<\/strong><strong class=\"sy2\">: <\/strong>networking.k8s.io\/v1<strong class=\"co3\">\nkind<\/strong><strong class=\"sy2\">: <\/strong>NetworkPolicy<strong class=\"co4\">\nmetadata<\/strong>:<strong class=\"co3\">\n  name<\/strong><strong class=\"sy2\">: <\/strong>network-policy<strong class=\"co3\">\n  namespace<\/strong><strong class=\"sy2\">: <\/strong>database<strong class=\"co4\">\nspec<\/strong>:<strong class=\"co3\">\n  podSelector<\/strong><strong class=\"sy2\">: <\/strong><strong class=\"br0\">{<\/strong><strong class=\"br0\">}<\/strong><strong class=\"co4\">\n  policyTypes<\/strong><strong class=\"sy2\">:\n<\/strong>    - Ingress<strong class=\"co4\">\n  ingress<\/strong>:<strong class=\"co4\">\n    - from<\/strong>:<strong class=\"co4\">\n        - namespaceSelector<\/strong>:<strong class=\"co4\">\n            matchLabels<\/strong>:<strong class=\"co3\">\n              application<\/strong><strong class=\"sy2\">: <\/strong>demo-app<strong class=\"co4\">\n          podSelector<\/strong>:<strong class=\"co4\">\n            matchLabels<\/strong>:<strong class=\"co3\">\n              component<\/strong><strong class=\"sy2\">: <\/strong>database<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>The policy states that any Pod labelled <code>component: database<\/code> can reach all the Pods in the <code>database<\/code> namespace, if its own namespace is labelled <code>demo-app<\/code>.<\/p>\n<p>You can allow traffic from <em>all<\/em> the Pods in an external namespace by creating a rule that only includes a <code>namespaceSelector<\/code> field.<\/p>\n<h3 id=\"explicitly-allow-all-traffic\"><span class=\"ez-toc-section\" id=\"Explicitly_allow_all_traffic\"><\/span>Explicitly allow all traffic<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Sometimes you might want to explicitly allow all traffic of a particular type within a namespace. Include the type in your policy but supply an empty Pod selector and no rules:<\/p>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><strong class=\"co3\">apiVersion<\/strong><strong class=\"sy2\">: <\/strong>networking.k8s.io\/v1<strong class=\"co3\">\nkind<\/strong><strong class=\"sy2\">: <\/strong>NetworkPolicy<strong class=\"co4\">\nmetadata<\/strong>:<strong class=\"co3\">\n  name<\/strong><strong class=\"sy2\">: <\/strong>network-policy<strong class=\"co3\">\n  namespace<\/strong><strong class=\"sy2\">: <\/strong>app<strong class=\"co4\">\nspec<\/strong>:<strong class=\"co3\">\n  podSelector<\/strong><strong class=\"sy2\">: <\/strong><strong class=\"br0\">{<\/strong><strong class=\"br0\">}<\/strong><strong class=\"co4\">\n  policyTypes<\/strong><strong class=\"sy2\">:\n<\/strong>    - Ingress\n    - Egress<strong class=\"co4\">\n  ingress<\/strong><strong class=\"sy2\">:\n<\/strong>    - <strong class=\"br0\">{<\/strong><strong class=\"br0\">}<\/strong><strong class=\"co4\">\n  egress<\/strong><strong class=\"sy2\">:\n<\/strong>    - <strong class=\"br0\">{<\/strong><strong class=\"br0\">}<\/strong><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>All the Pods in the namespace can freely communicate, as if there was no policy. Creating the policy anyway lets you indicate your intentions to other cluster users. They might question the presence of a namespace with unrestricted networking in a cluster which has otherwise been secured.<\/p>\n<h2 id=\"when-to-use-network-policies\"><span class=\"ez-toc-section\" id=\"When_to_Use_Network_Policies\"><\/span>When to Use Network Policies<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Network policies should be created for each of the namespaces and Pods in your cluster. This better isolates your Pods and puts you in control of traffic flow.<\/p>\n<p>Try to make your policies as granular as possible. Widening access too much, such as allowing access between all Pods in a namespace, leaves you exposed to risks if one of your containers is compromised. Consider using precise selectors to identify individual ingress and egress remotes for sensitive Pods such as authentication services, databases, and payment handlers.<\/p>\n<p>Kubernetes doesn\u2019t enable any network policies by default which can allow oversights to occur, even if you intend all Pods to be protected by a policy. You can mitigate against this risk by adding a catch-all policy to your namespaces. This policy selects every Pod in the namespace and applies a rule that forbids all network communication:<\/p>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><strong class=\"co3\">apiVersion<\/strong><strong class=\"sy2\">: <\/strong>networking.k8s.io\/v1<strong class=\"co3\">\nkind<\/strong><strong class=\"sy2\">: <\/strong>NetworkPolicy<strong class=\"co4\">\nmetadata<\/strong>:<strong class=\"co3\">\n  name<\/strong><strong class=\"sy2\">: <\/strong>deny-<strong class=\"kw1\">all<\/strong><strong class=\"co3\">\n  namespace<\/strong><strong class=\"sy2\">: <\/strong>app<strong class=\"co4\">\nspec<\/strong>:<strong class=\"co3\">\n  podSelector<\/strong><strong class=\"sy2\">: <\/strong><strong class=\"br0\">{<\/strong><strong class=\"br0\">}<\/strong><strong class=\"co4\">\n  policyTypes<\/strong><strong class=\"sy2\">:\n<\/strong>    - Ingress\n    - Egress<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Network policies are always scoped to namespaces so you\u2019ll need to create a separate catch-all for each one.<\/p>\n<h2 id=\"summary\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kubernetes allows all the Pods in your cluster to communicate with each other. This is too permissive for real-world applications running in multi-purpose clusters. Network policies address this problem by providing a firewall-like system for managing the ingress sources and egress targets that each Pod accepts.<\/p>\n<p>It\u2019s good practice to configure a network policy on all of your Pods. This will secure your cluster so only legitimate traffic flows are permitted. Network policies are only one part of Kubernetes security, however: other <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/securing-a-cluster\">protection mechanisms<\/a> such as RBAC and Pod <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/kubernetes.io\/docs\/tasks\/configure-pod-container\/security-context\">security contexts<\/a> are also essential tools for hardening your environment.<\/p>\n<\/div>\n<p><script>\n setTimeout(function(){\n  !function(f,b,e,v,n,t,s)\n  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?\n  n.callMethod.apply(n,arguments):n.queue.push(arguments)};\n  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';\n  n.queue=[];t=b.createElement(e);t.async=!0;\n  t.src=v;s=b.getElementsByTagName(e)[0];\n  s.parentNode.insertBefore(t,s) } (window, document,'script',\n  'https:\/\/connect.facebook.net\/en_US\/fbevents.js');\n   fbq('init', '335401813750447');\n   fbq('track', 'PageView');\n  },3000);\n<\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.howtogeek.com\/devops\/securing-kubernetes-cluster-traffic-with-pod-network-policies\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;Securing Kubernetes Cluster Traffic With Pod Network Policies&#8221; Kubernetes Pods can freely communicate with each other by default. This poses a security risk when your cluster\u2019s used for multiple applications or teams. Errant behavior or malicious access in one Pod could direct traffic to the other Pods in your cluster. This article will teach you&#8230;<\/p>\n","protected":false},"author":1,"featured_media":521795,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/05\/Kubernetes.jpg?height=200p&trim=2,2,2,2","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-521794","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/521794","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=521794"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/521794\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/521795"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=521794"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=521794"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=521794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}