DEV Community

Cover image for Network Policy in Kubernetes: A Comprehensive Guide for DevOps
Avesh
Avesh

Posted on

Network Policy in Kubernetes: A Comprehensive Guide for DevOps

#kubernetes #network #100daysofcode #beginners

Introduction

Network Policies are Kubernetes resources that control pod-to-pod communication within a cluster. They act as a firewall, enabling fine-grained control over how pods communicate with each other and external endpoints.

Key Concepts

Pod Selection

Network policies use labels to select pods and define rules. Two key selectors:

  • podSelector: Defines which pods the policy applies to
  • namespaceSelector: Filters pods based on their namespace

Policy Types

  • Ingress: Controls incoming traffic
  • Egress: Controls outgoing traffic

Default Behavior

By default, pods accept traffic from any source. Once a Network Policy selects a pod, it denies all traffic not explicitly allowed by that policy.

Common Network Policy Patterns

1. Deny All Traffic 

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: prod spec: podSelector: {} policyTypes: - Ingress - Egress
Enter fullscreen mode Exit fullscreen mode

2. Allow Traffic from Specific Namespace 

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-from-dev namespace: prod spec: podSelector: matchLabels: app: web policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: environment: dev
Enter fullscreen mode Exit fullscreen mode

3. Allow Specific Port Access 

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-access spec: podSelector: matchLabels: app: api policyTypes: - Ingress ingress: - ports: - protocol: TCP port: 8080 from: - podSelector: matchLabels: role: frontend
Enter fullscreen mode Exit fullscreen mode

4. Allow External Traffic 

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-external-traffic spec: podSelector: matchLabels: app: web policyTypes: - Ingress ingress: - from: - ipBlock: cidr: 172.17.0.0/16 except: - 172.17.1.0/24
Enter fullscreen mode Exit fullscreen mode

Best Practices

1. Isolation Strategy

  • Start with deny-all policies
  • Gradually add allow rules based on requirements
  • Use namespaces for logical grouping
  • Label pods consistently

2. Security Considerations

  • Implement least privilege access
  • Regular audit of network policies
  • Document policy intentions
  • Use network policy logs for troubleshooting

3. Performance Impact

  • Minimize complex selectors
  • Use efficient CIDR blocks
  • Regular monitoring of network policy performance
  • Consider CNI plugin capabilities

Troubleshooting Guide

Common Issues

  1. Policy Not Applied

    • Verify CNI plugin supports Network Policies
    • Check label selectors match intended pods
    • Confirm policy is in correct namespace

  2. Unexpected Blocking

    • Review all policies affecting the pod
    • Check for conflicting rules
    • Verify namespace labels
    • Test with temporary allow-all policy

Debugging Commands 

# List all network policies kubectl get networkpolicy --all-namespaces # Describe specific policy kubectl describe networkpolicy <policy-name> -n <namespace> # Check pod labels kubectl get pods --show-labels # Verify pod connectivity kubectl exec -it <pod-name> -- wget -qO- http://<service-name>
Enter fullscreen mode Exit fullscreen mode

Advanced Configurations

1. Combining Multiple Rules 

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: complex-policy spec: podSelector: matchLabels: app: web policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: environment: prod - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 80 egress: - to: - namespaceSelector: matchLabels: environment: prod ports: - protocol: TCP port: 5432
Enter fullscreen mode Exit fullscreen mode

2. Using Multiple Port Ranges 

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: multi-port-policy spec: podSelector: matchLabels: app: service policyTypes: - Ingress ingress: - ports: - protocol: TCP port: 80 - protocol: TCP port: 443 - protocol: UDP port: 53
Enter fullscreen mode Exit fullscreen mode

Monitoring and Compliance

Tools and Metrics

  • Network Policy Advisor
  • Calico Network Policy Logs
  • Prometheus metrics for policy evaluation
  • Regular compliance audits

Best Practices for Production

  1. Version control all network policies
  2. Implement change management process
  3. Regular security reviews
  4. Automated policy testing
  5. Documentation of policy intentions

Conclusion

Network Policies are essential for securing Kubernetes clusters. Proper implementation requires understanding of pod networking, careful planning, and regular maintenance. Start with basic policies and gradually implement more complex rules based on security requirements.

Top comments (0)