4.2. Creating network policies

Procedure

1. Create a policy rule.

   1. Create a <policy_name>.yaml file:

      $ touch <policy_name>.yaml

      where:

      <policy_name>

      Specifies the network policy file name.

   2. Define a network policy in the created file. The following example denies ingress traffic from all pods in all namespaces. This is a fundamental policy, blocking all cross-pod networking other than cross-pod traffic allowed by the configuration of other Network Policies.

      kind: NetworkPolicy
      apiVersion: networking.k8s.io/v1
      spec:
        podSelector: {}
        policyTypes:
        - Ingress
        ingress: []

      The following example configuration allows ingress traffic from all pods in the same namespace:

      kind: NetworkPolicy
      apiVersion: networking.k8s.io/v1
      metadata:
        name: allow-same-namespace
      spec:
        podSelector:
        ingress:
        - from:
          - podSelector: {}
      # ...

      The following example allows ingress traffic to one pod from a particular namespace. This policy allows traffic to pods that have the pod-a label from pods running in namespace-y.

      kind: NetworkPolicy
      apiVersion: networking.k8s.io/v1
      metadata:
        name: allow-traffic-pod
      spec:
        podSelector:
         matchLabels:
            pod: pod-a
        policyTypes:
        - Ingress
        ingress:
        - from:
          - namespaceSelector:
              matchLabels:
                 kubernetes.io/metadata.name: namespace-y
      # ...

      The following example configuration restricts traffic to a service. This policy when applied ensures every pod with both labels app=bookstore and role=api can only be accessed by pods with label app=bookstore. In this example the application could be a REST API server, marked with labels app=bookstore and role=api.

      This example configuration addresses the following use cases:

      • Restricting the traffic to a service to only the other microservices that need to use it.

      • Restricting the connections to a database to only permit the application using it.

        kind: NetworkPolicy
        apiVersion: networking.k8s.io/v1
        metadata:
          name: api-allow
        spec:
          podSelector:
            matchLabels:
              app: bookstore
              role: api
          ingress:
          - from:
              - podSelector:
                  matchLabels:
                    app: bookstore
        # ...

2. To create the network policy object, enter the following command. Successful output lists the name of the policy object and the created status.

   $ oc apply -f <policy_name>.yaml -n <namespace>

   where:

   <policy_name>

   Specifies the network policy file name.

   <namespace>

   Optional parameter. If you defined the object in a different namespace than the current namespace, the parameter specifices the namespace.

   Successful output lists the name of the policy object and the created status.

Procedure

1. Create the following YAML that defines a deny-by-default policy to deny ingress from all pods in all namespaces. Save the YAML in the deny-by-default.yaml file:

   kind: NetworkPolicy
   apiVersion: networking.k8s.io/v1
   metadata:
     name: deny-by-default
     namespace: my-project
   spec:
     podSelector: {}
     ingress: []

   where:

   namespace

   Specifies the namespace in which to deploy the policy. For example, the my-project namespace.

   podSelector

   If this field is empty, the configuration matches all the pods. Therefore, the policy applies to all pods in the my-project namespace.

   ingress

   Where [] indicates that no ingress rules are specified. This causes incoming traffic to be dropped to all pods.

2. Apply the policy by entering the following command. Successful output lists the name of the policy object and the created status.

   $ oc apply -f deny-by-default.yaml

Procedure

1. Create a policy that allows traffic from the public Internet directly or by using a load balancer to access the pod. Save the YAML in the web-allow-external.yaml file:

   kind: NetworkPolicy
   apiVersion: networking.k8s.io/v1
   spec:
     policyTypes:
     - Ingress
     podSelector:
       matchLabels:
         app: web
     ingress:
       - {}

2. Apply the policy by entering the following command. Successful output lists the name of the policy object and the created status.

   $ oc apply -f web-allow-external.yaml

Procedure

1. Create a policy that allows traffic from all pods in all namespaces to a particular application. Save the YAML in the web-allow-all-namespaces.yaml file:

   kind: NetworkPolicy
   apiVersion: networking.k8s.io/v1
   spec:
     podSelector:
       matchLabels:
         app: web
     policyTypes:
     - Ingress
     ingress:
     - from:
       - namespaceSelector: {}

   where:

   app

   Applies the policy only to app:web pods in default namespace.

   namespaceSelector

   Selects all pods in all namespaces.

   注記

   By default, if you do not specify a namespaceSelector parameter in the policy object, no namespaces get selected. This means the policy allows traffic only from the namespace where the network policy deployes.

2. Apply the policy by entering the following command. Successful output lists the name of the policy object and the created status.

   $ oc apply -f web-allow-all-namespaces.yaml

Verification

1. Start a web service in the default namespace by entering the following command:

   $ oc run web --namespace=default --image=nginx --labels="app=web" --expose --port=80

2. Run the following command to deploy an alpine image in the secondary namespace and to start a shell:

   $ oc run test-$RANDOM --namespace=secondary --rm -i -t --image=alpine -- sh

3. Run the following command in the shell and observe that the service allows the request:

   # wget -qO- --timeout=2 http://web.default

   <!DOCTYPE html>
   <html>
   <head>
   <title>Welcome to nginx!</title>
   <style>
   html { color-scheme: light dark; }
   body { width: 35em; margin: 0 auto;
   font-family: Tahoma, Verdana, Arial, sans-serif; }
   </style>
   </head>
   <body>
   <h1>Welcome to nginx!</h1>
   <p>If you see this page, the nginx web server is successfully installed and
   working. Further configuration is required.</p>
   
   <p>For online documentation and support please refer to
   <a href="http://nginx.org/">nginx.org</a>.<br/>
   Commercial support is available at
   <a href="http://nginx.com/">nginx.com</a>.</p>
   
   <p><em>Thank you for using nginx.</em></p>
   </body>
   </html>

Procedure

1. Create a policy that allows traffic from all pods in a particular namespaces with a label purpose=production. Save the YAML in the web-allow-prod.yaml file:

   kind: NetworkPolicy
   apiVersion: networking.k8s.io/v1
   metadata:
     name: web-allow-prod
     namespace: default
   spec:
     podSelector:
       matchLabels:
         app: web
     policyTypes:
     - Ingress
     ingress:
     - from:
       - namespaceSelector:
           matchLabels:
             purpose: production

   where:

   app

   Applies the policy only to app:web pods in the default namespace.

   purpose

   Restricts traffic to only pods in namespaces that have the label purpose=production.

2. Apply the policy by entering the following command. Successful output lists the name of the policy object and the created status.

   $ oc apply -f web-allow-prod.yaml

Verification

1. Start a web service in the default namespace by entering the following command:

   $ oc run web --namespace=default --image=nginx --labels="app=web" --expose --port=80

2. Run the following command to create the prod namespace:

   $ oc create namespace prod

3. Run the following command to label the prod namespace:

   $ oc label namespace/prod purpose=production

4. Run the following command to create the dev namespace:

   $ oc create namespace dev

5. Run the following command to label the dev namespace:

   $ oc label namespace/dev purpose=testing

6. Run the following command to deploy an alpine image in the dev namespace and to start a shell:

   $ oc run test-$RANDOM --namespace=dev --rm -i -t --image=alpine -- sh

7. Run the following command in the shell and observe the reason for the blocked request. For example, expected output states wget: download timed out.

   # wget -qO- --timeout=2 http://web.default

8. Run the following command to deploy an alpine image in the prod namespace and start a shell:

   $ oc run test-$RANDOM --namespace=prod --rm -i -t --image=alpine -- sh

9. Run the following command in the shell and observe that the request is allowed:

   # wget -qO- --timeout=2 http://web.default

   <!DOCTYPE html>
   <html>
   <head>
   <title>Welcome to nginx!</title>
   <style>
   html { color-scheme: light dark; }
   body { width: 35em; margin: 0 auto;
   font-family: Tahoma, Verdana, Arial, sans-serif; }
   </style>
   </head>
   <body>
   <h1>Welcome to nginx!</h1>
   <p>If you see this page, the nginx web server is successfully installed and
   working. Further configuration is required.</p>
   
   <p>For online documentation and support please refer to
   <a href="http://nginx.org/">nginx.org</a>.<br/>
   Commercial support is available at
   <a href="http://nginx.com/">nginx.com</a>.</p>
   
   <p><em>Thank you for using nginx.</em></p>
   </body>
   </html>