Post

Kubernetes - Network Policies

Lab assignment for creating a network policies using kubectl

Posted Updated
Preview Image
By Sakharam Shinde
2 min read
Kubernetes - Network Policies

Prerequisites

  • Kubernetes
  • kubectl

Assignment

  • Explore how Network Policies can help isolate pods and control their communication within a Kubernetes cluster.

  • Create an nginx pod:

1

kubectl run nginx --image=nginx
  • Expose the nginx pod as a service with a ClusterIP
1

kubectl expose pod/nginx --port=80
  • Test the accessibility of the nginx service.
  • Run a temporary curl pod and use it to send a request to the nginx service.
1

kubectl run --rm -i --tty curl --image=curlimages/curl:8.4.0 --restart=Never -- sh
  • Once in the curl pod, use curl to request the nginx page. Notice that there are no restrictions, and the nginx service responds:
1

curl nginx.default.svc.cluster.local

1

exit
  • Implement a Network Policy to restrict access to the nginx pod.
  • Create a policy that allows access to the nginx pod only from pods with specific labels.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

cat <<EOF > networkpolicy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-nginx-access
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: nginx
  policyTypes:
    - Ingress
  ingress:
    - from:
      - podSelector:
          matchLabels:
            run: curl
EOF
```sh

```sh
kubectl apply -f networkpolicy.yaml
  • Test the network policy.
  • Start another curl pod which we’ll be using to accessing the nginx service again.
  • Since this pod has the label ‘run:curl’, it should be allowed by the network policy.
1

kubectl run --rm -i --tty curl --image=curlimages/curl --restart=Never -- sh
  • Describe the pod to confirm the label assigned to the pod in a new tab:
1

kubectl describe pod/curl | more
  • In the curl pod, use curl to test access. The request should succeed, demonstrating the network policy’s effect:
1

curl nginx.default.svc.cluster.local

1

exit
  • Test with a pod that doesn’t match the network policy criteria.
  • Create a new curl pod with a different name, which results in a different label.
  • This pod should not be able to access the nginx service.
1

kubectl run --rm -i --tty curl2 --image=curlimages/curl --restart=Never -- sh
  • Inside the curl2 pod, again, attempt to access the nginx service using curl.
  • The request should be blocked by the network policy, illustrating how Network Policies can be used to control access in a Kubernetes cluster:
1

curl nginx.default.svc.cluster.local

1

exit
  • CleanUp
1

kubectl delete pod nginx; kubectl delete service nginx; kubectl delete networkpolicy allow-nginx-access; rm -rf networkpolicy.yaml
devops, orchestration, kubernetes, hands-on
Hands-On
This post is licensed under CC BY 4.0 by the author.