- podSelector: Determines which pods the NetworkPolicy applies to
- policyType: Sets whether the policy governs incoming traffic (ingress), outgoing traffic (egress), or both.
- ingress: Rules for incoming traffic
- egress: Rules for outgoing traffic
- rules: Both ingress and egress rules are whitelist-based, meaning that any traffic that does not match at least one rule will be blocked.
- ports: Specifies the protocols and ports that match the rule.
- from/to selectors – Specifies the source(s) and destination(s) of network traffic that matches the rule.
- Create NetworkPolicy
- Create Secure Pod
- Create Client pod to access to secure pod
Create NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: my-network-policy
spec:
podSelector:
matchLabels:
app: secure-app
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
allow-access: "true"
ports:
- protocol: TCP
port: 80
egress:
- to:
- podSelector:
matchLabels:
allow-access: "true"
ports:
- protocol: TCP
port: 80Create Secure Pod
apiVersion: v1
kind: Pod
metadata:
name: network-policy-secure-pod
labels:
app: secure-app
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80Create Client pod to access to secure pod
apiVersion: v1
kind: Pod
metadata:
name: network-policy-client-pod
spec:
containers:
- name: busybox
image: radial/busyboxplus:curl
command: ["/bin/sh", "-c", "while true; do sleep 3600; done"]Use this command to get the cluster IP address of the Nginx pod:
kubectl get pod network-policy-secure-pod -o wideTry to access the secure pod from the client pod.
kubectl exec network-policy-client-pod -- curl <secure pod cluster ip address>
kubectl exec network-policy-client-pod -- curl 10.42.1.10