Difference between revisions of "K8s network policy"

https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces/

https://kubernetes.io/docs/concepts/services-networking/network-policies/

https://editor.networkpolicy.io/?id=u7ZyunLd9YSsf9Da

https://cloud.redhat.com/blog/guide-to-kubernetes-egress-network-policies

k8s core DNS example egress

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: foo
spec:
  podSelector:
    matchLabels:
      run: nginx
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 192.168.0.0/16
      ports:
        - protocol: TCP
          port: 80
          endPort: 81
    - to:
        - namespaceSelector: {}
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP

Only k8s dns

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all-egress
spec:
  podSelector: {}
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          networking/namespace: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53
  policyTypes:
  - Egress

Internet

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: internet-egress
spec:
  podSelector:
    matchLabels:
      networking/allow-internet-egress: "true"
  egress:
  - {}
  policyTypes:
  - Egress