Kubernetes Network Policies

Introduction

Kubernetes network policies can control traffic flow between pods at the IP address or port level (OSI Layer 3/4).
Useful in multi-tenant clusters or clusters with multiple environments (development, testing, production).

Each pod gets its own IP address.
All pods can communicate with each other without Network Address Translation (NAT).
IP addresses of pods remain consistent across the cluster.
Cross-namespace communication is possible by default.

Multiple applications (App A and App B) and a database (Redis DB) running in different namespaces.
By default, all pods can communicate with each other.
Using network policies: Pods in App A can communicate with the DB, but pods in App B cannot.

*Commands to Check Pods and IPs:
- kubectl get pods -A : Show all pods across namespaces.
- kubectl get pods -A -owide : Show IP addresses of pods.
*Example Commands for Ping Demo:
- From Namespace A pod to Namespace B pod: kubectl -n namespace-a exec -it pod-name -- curl <namespace-b-pod-ip>
- From Namespace A pod to Namespace C pod using similar command.
*Defining Labels:
- kubectl describe namespace namespace-a : Shows labels for a namespace.

Example YAML: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-app-a namespace: namespace-b spec: podSelector: matchLabels: environment: test policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: myspace: namespace-a
Apply with kubectl apply -f <file-name>.

Installed Calico for network policy enforcement.
- Basic commands to install Calico.
Successfully tested network policy:
- Namespace C pod unable to ping Namespace B pod.

Restrict traffic using IP address blocks or pod labels.
*'Or' Conditions in Policies:
- Use dashes (-) in front of selectors for 'or' conditions.
*'And' Conditions in Policies:
- No dashes for 'and' conditions (all conditions must be met).