network-policies.md (2996B)
1 +++ 2 title = 'Network policies' 3 +++ 4 # Network policies 5 By default, pods allow all outbound (egress) and inbound (ingress) connections. 6 Network policies let you restrict that, and are defined by YAML files. 7 The Network plugin used in the cluster must support them. 8 9 Policies always involve a pod at one or both ends, and are _additive_ (union). 10 For connection between two pods, you must allow egress from source and ingress to destination. 11 12 By default, pod non-isolated for ingress (all inbound allowed). 13 14 Pod is _isolated_ for ingress if there is NetworkPolicy that selects the pod and has "ingress" in policyTypes. 15 Then, only allowed connections are: 16 - those that come from pod's node 17 - those allowed by ingress list of some NetworkPolicy that applies to the pod for ingress 18 19 policyTypes can be `["Ingress"]`, `["Egress"]`, `["Ingress", "Egress"]`, or none. 20 This field indicates whether the policy applies to ingress/egress/both. 21 If no policyTypes specified, ingress is set by default, and egress is set if NetworkPolicy has any egress rules. 22 23 ## Example: deny all 24 25 ```yaml 26 kind: NetworkPolicy 27 apiVersion: networking.k8s.io/v1 28 metadata: 29 name: web-deny-all 30 spec: 31 podSelector: 32 matchLabels: 33 app: web 34 ingress: [] 35 ``` 36 37 In this example: 38 - policyTypes not set, so default is ingress 39 - set of ingress rules is empty, so no entry into pods selected by `podSelector` is allowed 40 41 ## Example: limit ingress to connections from certain pods 42 ```yaml 43 kind: NetworkPolicy 44 apiVersion: networking.k8s.io/v1 45 metadata: 46 name: api-allow 47 spec: 48 podSelector: 49 matchLabels: 50 app: bookstore 51 role: api 52 ingress: 53 - from: 54 - podSelector: 55 matchLabels: 56 app: bookstore 57 ``` 58 59 In this example: 60 - application with labels `app=bookstore role=api` can only be accessed from pods with label `app=bookstore` 61 - policyTypes not specified, so default is ingress 62 63 ## Example: block traffic from other namespaces, allow from own 64 ```yaml 65 kind: NetworkPolicy 66 apiVersion: networking.k8s.io/v1 67 metadata: 68 namespace: default 69 name: deny-from-other-namespaces 70 spec: 71 podSelector: 72 matchLabels: 73 ingress: 74 - from: 75 - podSelector: {} 76 ``` 77 78 In this example: 79 - policy applies to default namespace 80 - `matchLabels` is empty, so applies to all pods in default namespace 81 - allows ingress from any of selected pods (all in default namespace), all others are denied 82 83 ## Example: block all egress traffic from a pod 84 ```yaml 85 kind: NetworkPolicy 86 apiVersion: networking.k8s.io/v1 87 metadata: 88 name: foo-deny-egress 89 spec: 90 podSelector: 91 matchLabels: 92 app: foo 93 policyTypes: 94 - Egress 95 egress: [] 96 ``` 97 98 In this case, we get a "bad address" error, because it fails to connect to DNS. 99 To block all egress except DNS: 100 101 ```yaml 102 kind: NetworkPolicy 103 apiVersion: networking.k8s.io/v1 104 metadata: 105 name: foo-deny-egress 106 spec: 107 podSelector: 108 matchLabels: 109 app: foo 110 111 policyTypes: 112 - Egress 113 egress: 114 - ports: 115 - port: 53 116 protocol: UDP 117 - port: 53 118 protocol: TCP 119 ```