Skip to main content

Network Policies

Each node , pod, and service has it’s own IP address. Whatever solution you implement, pods must be able to communicate with each other with no further settings like routes.

All pods are on the net that can by default reach each other.

Network policies are like AWS Security Groups. You create a network policy, then link it to one or more pods.

(only) Allow Ingress traffic from API pod on Port 3306

Once the policy is created, it blocks all other traffic on the pod. (Labels & Selectors)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
    name: db-policy
spec:
  podSelector:
    matchLabels:
        role: db
  policyTypes:
Ingress
ingress:
from:
     - podSelector:
        matchLabels:
             name: api-pods
    ports:
        - protocol: TCP
           port: 3306

Ingress means only ingress. If you also want Egress isolation, you need to create an Egress command.

Don’t forget to add the namespace selector property to your network policies!

NOT ALL NETWORKING SUPPORTS NETWORK POLICIES

Kube-router, Calico, Romana, Weave-net

—> Flannel does not support Network Policies <— You will get No error message when using Flannel!