Kubernetes Network Policy

Kubernetes is a well-known tool to build applications quite easily manageable and deployable anywhere. As a managed service, Kubernetes offers various options that will suit your needs. Kubernetes incorporates several commands that reduce the overhead of many time-consuming aspects of application management with which you can automate routine tasks.

What Is Kubernetes Network Policy?

Kubernetes Network Policies provides you with set rules for how data moves in your cluster and between Pods and the outside. Your cluster needs a network plugin that works with Network Policy. To control data flow based on IP addresses or ports for TCP, UDP, and SCTP, you should consider using Kubernetes Network Policies for some apps in your cluster. Every Network Policy you make focuses on a group of Pods and decides which external connections they can send and receive.

How Do Kubernetes Network Policies Work?

• Network Policies can provide a separate set of allowable targets for their Ingress and Egress rules, It is also possible to use Network Policies to disable all network connections for a Pod or to limit traffic to a certain port range.
• Network Policies are additive, thus you can have many policies targeting the same Pod.
• In the OSI networking paradigm, Network Policies are layer 3/4 controls. They use IP addresses and port numbers at the network transport level.
• Network Policies aren't a comprehensive answer. The present version has significant limitations, including the inability to report network policy block events and the absence of support for explicit reject policy.

How Are Network Policies Implemented?

• The CNI networking plugin you use in your cluster is responsible for applying Network Policies.
• Your rules need to work well with how your plugin uses these policies.
• Cloud companies that provide managed Kubernetes services will automatically turn on support. If you are managing your cluster, make sure you are using a compatible CNI plugin..

Step-By-Step Guide To Creating A Network Policy In Kubernetes

Step 1: Create a Namespace

• First, For better isolation, you can establish a different namespace and apply a Network Policy to it.

kubectl create namespace my-app

Output:

Step 2: Define the Pods to Protect

• Labels will allow Pods to be defined in the following phase.

kubectl label pod <pod-name> app=my-app -n my-app

Output:

Step 3: Make a Network Policy YAML

• Next, Your Network Policy will be created in a YAML file that you will generate.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-specified
  namespace: my-app
spec:
  podSelector:
    matchLabels:
      app: my-app
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: allowed-app
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: external-app
    ports:
    - protocol: TCP
      port: 8080

Step 4: Apply the Network Policy

• To apply the network policy, you need to run the command below and confirm the outcomes.

kubectl apply -f network-policy.yaml

Output:

Step 5: Verify the Policy

• Next, you need to verify the Network Policy's proper application.

kubectl get networkpolicy -n my-app

Output:

Step 6: Test the Policy

• Lastly, You must test this to communicate with the pod from tried and denied pods and make sure the policy is constructive or not. To run commands inside of pods, use the unelevated command.

kubectl exec <allowed-pod> -- curl <target-pod-ip>:8080

Output:

Use Cases Of Kubernetes Network Policies

• It is important to protect traffic in our groups of pods. By default, all pods can talk to each other freely.
• The Network Policy tool helps us control the traffic going in and out of pods.
• We can make sure that our frontend pods can only connect to the backend application, preventing an attacker from having direct access to the database or other pods if they breach the frontend.
• Firewalls, either software or hardware, are often used to control traffic in networks.

Best Practices for Kubernetes Network Policies

• Use Labels for Fine-Grained Control: Kubernetes network policies use labels to determine which pods they apply to. To regulate a collection of pods, identify them using consistent, relevant labels, and then apply policies based on these labels.
• Control External Access: You are able to apply restrictions in the access of pods externally with services that are outside a cluster. This is achieved through the definition of network policies that reduce egress to particular IP addresses, CIDRs, or domain names using an egress proxy or firewall.
• Network Traffic: Observe all policy rules and network traffic by using tools that support logging capabilities such as Cilium, network plugins, or Kubectl logs. See audit logs on a periodic basis for anomalies or security issues.
• Apply Policies Incrementally: Do not abruptly interrupt the network. Apply the network policies in stages. First, use policies that monitor - log the traffic instead of blocking it. In this way, one will be able to analyze tendencies in the traffic.

Conclusion

Kubernetes Network Policies are an essential tool for securing traffic within your cluster, giving you control over how Pods communicate with each other and external resources. By implementing well-designed network policies, you can safeguard your applications from unwanted traffic, prevent lateral movement in case of a breach, and ensure smoother traffic management. Start leveraging Network Policies to enhance security and optimize network performance in your Kubernetes deployments.