kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: deny-by-default
spec:
podSelector:
ingress: []
As a cluster administrator, you can define network policies that restrict traffic to Pods in your cluster.
In a cluster using a Kubernetes Container Network Interface (CNI) plug-in that supports Kubernetes network policy, network isolation is controlled entirely by NetworkPolicy Custom Resource (CR) objects. In OpenShift Container Platform 4.3, OpenShift SDN supports using NetworkPolicy in its default network isolation mode.
The Kubernetes |
Network policy does not apply to the host network namespace. Pods with host networking enabled are unaffected by NetworkPolicy object rules. |
By default, all Pods in a project are accessible from other Pods and network endpoints. To isolate one or more Pods in a project, you can create NetworkPolicy objects in that project to indicate the allowed incoming connections. Project administrators can create and delete NetworkPolicy objects within their own project.
If a Pod is matched by selectors in one or more NetworkPolicy objects, then the Pod will accept only connections that are allowed by at least one of those NetworkPolicy objects. A Pod that is not selected by any NetworkPolicy objects is fully accessible.
The following example NetworkPolicy objects demonstrate supporting different scenarios:
Deny all traffic:
To make a project deny by default, add a NetworkPolicy object that matches all Pods but accepts no traffic:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: deny-by-default
spec:
podSelector:
ingress: []
Only allow connections from the OpenShift Container Platform ingress Controller:
To make a project allow only connections from the OpenShift Container Platform ingress Controller, add the following NetworkPolicy object:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-openshift-ingress
spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
network.openshift.io/policy-group: ingress
podSelector: {}
policyTypes:
- ingress
If the ingress Controller is configured with endpointPublishingStrategy: HostNetwork
, then the ingress Controller Pod runs on the host network.
When running on the host network, the traffic from the ingress Controller is assigned the netid:0
Virtual Network ID (VNID).
The netid
for the namespace that is associated with the ingress Operator is different, so the matchLabel
in the allow-from-openshift-ingress
network policy does not match traffic from the default
ingress Controller.
Because the default
namespace is assigned the netid:0
VNID, you can allow traffic from the default
ingress Controller by labeling your default
namespace with network.openshift.io/policy-group: ingress
.
Only accept connections from Pods within a project:
To make Pods accept connections from other Pods in the same project, but reject all other connections from Pods in other projects, add the following NetworkPolicy object:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-same-namespace
spec:
podSelector:
ingress:
- from:
- podSelector: {}
Only allow HTTP and HTTPS traffic based on Pod labels:
To enable only HTTP and HTTPS access to the Pods with a specific label
(role=frontend
in following example), add a NetworkPolicy object similar to the following:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-http-and-https
spec:
podSelector:
matchLabels:
role: frontend
ingress:
- ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
Accept connections by using both namespace and Pod selectors:
To match network traffic by combining namespace and Pod selectors, you can use a NetworkPolicy object similar to the following:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-pod-and-namespace-both
spec:
podSelector:
matchLabels:
name: test-pods
ingress:
- from:
- namespaceSelector:
matchLabels:
project: project_name
podSelector:
matchLabels:
name: test-pods
NetworkPolicy objects are additive, which means you can combine multiple NetworkPolicy objects together to satisfy complex network requirements.
For example, for the NetworkPolicy objects defined in previous samples, you
can define both allow-same-namespace
and allow-http-and-https
policies
within the same project. Thus allowing the Pods with the label role=frontend
,
to accept any connection allowed by each policy. That is, connections on any
port from Pods in the same namespace, and connections on ports 80
and
443
from Pods in any namespace.