K8s network policy
Jump to navigation
Jump to search
Examples
Example of Wordpress with Egress Isolation
egress--dns.yaml
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-dns
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
egress--internet-http-https.yaml
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-internet-http-https
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/20
ports:
- protocol: TCP
port: 443
- protocol: TCP
port: 80
egress--wordpress-to-mariadb.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress--wordpress-to-mariadb
spec:
policyTypes:
- Egress
podSelector:
matchLabels:
app.kubernetes.io/name: wordpress
egress:
- to:
- namespaceSelector: {}
podSelector:
matchLabels:
app.kubernetes.io/name: mariadb
ports:
- protocol: TCP
port: 3306
egress--email-submission.yaml
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress--email-submission
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: ${Your SMTP Submission IP Address}
ports:
- protocol: TCP
port: 587
Apply
kubectl apply -f ../yaml/egress--dns.yaml -f ../yaml/egress--internet-http-https.yaml -f ../yaml/egress--wordpress-to-mariadb.yaml -f ../yaml/egress--email-submission.yaml
Internet Only
Guide
Mote
https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces/
https://kubernetes.io/docs/concepts/services-networking/network-policies/
https://editor.networkpolicy.io/?id=u7ZyunLd9YSsf9Da
https://cloud.redhat.com/blog/guide-to-kubernetes-egress-network-policies
k8s core DNS example egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: foo
spec:
podSelector:
matchLabels:
run: nginx
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 192.168.0.0/16
ports:
- protocol: TCP
port: 80
endPort: 81
- to:
- namespaceSelector: {}
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
Only k8s dns
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all-egress
spec:
podSelector: {}
policyTypes:
- Egress
# - Ingress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
Internet
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: internet-egress
spec:
podSelector:
matchLabels:
networking/allow-internet-egress: "true"
egress:
- {}
policyTypes:
- Egress