Difference between revisions of "K8s network policy"

From UVOO Tech Wiki
Jump to navigation Jump to search
Line 1: Line 1:
 +
# Examples
 +
 +
## Example of Wordpress with Egress Isolation
 +
 +
egress--dns.yaml
 +
```
 +
---
 +
apiVersion: networking.k8s.io/v1
 +
kind: NetworkPolicy
 +
metadata:
 +
  name: egress-dns
 +
spec:
 +
  podSelector: {}
 +
  policyTypes:
 +
    - Egress
 +
  egress:
 +
  - to:
 +
    - namespaceSelector:
 +
        matchLabels:
 +
          kubernetes.io/metadata.name: kube-system
 +
      podSelector:
 +
        matchLabels:
 +
          k8s-app: kube-dns
 +
    ports:
 +
    - protocol: TCP
 +
      port: 53
 +
    - protocol: UDP
 +
      port: 53
 +
```
 +
 +
egress--internet-http-https.yaml
 +
```
 +
---
 +
apiVersion: networking.k8s.io/v1
 +
kind: NetworkPolicy
 +
metadata:
 +
  name: egress-internet-http-https
 +
spec:
 +
  podSelector: {}
 +
  policyTypes:
 +
    - Egress
 +
  egress:
 +
    - to:
 +
        - ipBlock:
 +
            cidr: 0.0.0.0/0
 +
            except:
 +
              - 10.0.0.0/8
 +
              - 192.168.0.0/16
 +
              - 172.16.0.0/20
 +
      ports:
 +
        - protocol: TCP
 +
          port: 443
 +
        - protocol: TCP
 +
          port: 80
 +
 +
```
 +
 +
egress--wordpress-to-mariadb.yaml
 +
```
 +
apiVersion: networking.k8s.io/v1
 +
kind: NetworkPolicy
 +
metadata:
 +
  name: egress--wordpress-to-mariadb
 +
spec:
 +
  policyTypes:
 +
    - Egress
 +
  podSelector:
 +
    matchLabels:
 +
      app.kubernetes.io/name: wordpress
 +
  egress:
 +
    - to:
 +
      - namespaceSelector: {}
 +
        podSelector:
 +
          matchLabels:
 +
            app.kubernetes.io/name: mariadb
 +
      ports:
 +
        - protocol: TCP
 +
          port: 3306
 +
```
 +
 +
 
# Internet Only
 
# Internet Only
 
- https://stackoverflow.com/questions/57789969/kubernetes-networkpolicy-allow-external-traffic-to-internet-only
 
- https://stackoverflow.com/questions/57789969/kubernetes-networkpolicy-allow-external-traffic-to-internet-only

Revision as of 19:59, 8 July 2023

Examples

Example of Wordpress with Egress Isolation

egress--dns.yaml 

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: egress-dns
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

egress--internet-http-https.yaml 

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: egress-internet-http-https
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
              - 10.0.0.0/8
              - 192.168.0.0/16
              - 172.16.0.0/20
      ports:
        - protocol: TCP
          port: 443
        - protocol: TCP
          port: 80

egress--wordpress-to-mariadb.yaml 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: egress--wordpress-to-mariadb
spec:
  policyTypes:
    - Egress
  podSelector:
    matchLabels:
      app.kubernetes.io/name: wordpress
  egress:
    - to:
       - namespaceSelector: {}
         podSelector:
           matchLabels:
             app.kubernetes.io/name: mariadb
      ports:
        - protocol: TCP
          port: 3306

Internet Only

Guide

Mote

https://loft.sh/blog/kubernetes-network-policies-for-isolating-namespaces/

https://kubernetes.io/docs/concepts/services-networking/network-policies/

https://editor.networkpolicy.io/?id=u7ZyunLd9YSsf9Da

https://cloud.redhat.com/blog/guide-to-kubernetes-egress-network-policies

k8s core DNS example egress 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: foo
spec:
  podSelector:
    matchLabels:
      run: nginx
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 192.168.0.0/16
      ports:
        - protocol: TCP
          port: 80
          endPort: 81
    - to:
        - namespaceSelector: {}
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP

Only k8s dns 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all-egress
spec:
  podSelector: {}
  policyTypes:
    - Egress
    # - Ingress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

Internet 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: internet-egress
spec:
  podSelector:
    matchLabels:
      networking/allow-internet-egress: "true"
  egress:
  - {}
  policyTypes:
  - Egress
Retrieved from "https://tech.uvoo.io/index.php?title=K8s_network_policy&oldid=4385"