Network policies are used to control traffic flow at the IP address or port level.
Network policies are application centric which allow how a pod is allowed to communicate with various network entities.
The entities that a pod can communicate are identified through the combination of following,
- Other pods that are allowed
- Namespaces that are allowed
- IP blocks
Prerequisites:
Network policies are implemented by network plugin. To use network policies, we must be using networking solution which supports NetworkPolicy.
Types of Policies:
- Ingress
- Egress
Ingress:
By default, a pod is non-isolated for ingress means all inbound connections are allowed.
A pod is isolated for ingress if there is any NetworkPloicy that selects the pod and has “Ingress” in its policyTypes.
When pod is isolated for Ingress, the only connections allowed into the pod are those from the pod’s node and those allowed by the ingress list of some NetworkPolicy that applies to the pod for ingress.
Egress:
By default, a pod is non-isolated for egress means all outbound connections are allowed.
A pod is isolated for egress if there is any NetworkPloicy that selects the pod and has “Egress” in its policyTypes.
When pod is isolated for Egress, the only connections allowed from the pod are those that are allowed by the egress list of some NetworkPloicy that applies to the pod for egress.
Network policies do not conflict; they are additive. If any policy or policies apply to a given pod in a given direction , the connections allowed in that direction from that pod is union of what the applicable policies allow. Thus, order of evaluation does not effect the policy result.
For a connection from source pod to destination pod to be allowed, both the egress policy on source pod and ingress policy on destination pod need to allow the connection.
The NetworkPolicy Resource:
Mandatory fields: a NetworkPolicy needs apiVersion, kind ,metadata and spec.
podSelector: selects the grouping of pods to which the policy applies. An empty podSelector selects all pods in the namespace.
policyTypes: policyTypes list may include either Ingress, Egress or both. If no policyTypes are specified on a NetworkPolicy then by default Ingress will always be set.
ingress: Each NetworkPolicy may include list of allowed ingress rules. Each rule allows the traffic which matches both the from and ports sections.
egress: Each NetworkPolicy may include list of allowed egress rules. Each rule allows the traffic which matches both the to and ports sections.