In this article we will be seeing how we can implement Network Policies(NP) using calico an open-source project.
What is network policy?
It is the way by which we allow network traffic to flow through the pods and pods in other namespaces. or by a set of external IP’s using the CIDR range. we can set up this by enabling a network plugin once it is enabled there will be annotations added in the pod’s description with these there will be no traffic blocked until any network policy is mentioned at firstplace.
Ingress VS Egress
Ingress is the Traffic which comes inside Pod
Egress is the Traffic which goes out of the Pod
Once all the steps above are completed we will start with implementing network policies yaml files.
In the below file we will block all the incoming traffic from all the pods and even the external traffic will be blocked completely. which is considered as default deny for all the ingress traffic.
Note In this article we will be covering all the things regarding ingress traffic only.
To override the above mention network policy we will write one more network traffic policy ie traffic can be only allowed when we have any overriding network policy which overrides the already present network policy.
The things to be noted traffic can be allowed in many ways:
- Pod to Pod communication in the same namespace
- Communication between all the Pods in the same namespace
- Communication between the Pods of one namespace to Pods in other namespace
In the above mentioned file we are following the 2 nd method Communication between all the Pods in the same namespace
we are using namespaceSelector to allow all the pods to communicate we can also achieve this with podSelector if we need only single Pod to Pod communication. so we have used {} for allowing all pods communication.
As we mentioned Port:8080 so only container which is running on that port can be accessed where other ports will not be allowed
And now we need to add a label at namespace level for our network policy to work to communicate between pods as shown below
with the added label now traffic can flow in the namespace1 between all the pods
But what if we need to communicate to the pods in the other namespace also 🤔 Dont worry I have got you covered!!
now need to add one more label in the Networkpolicy file and add the same tag under namespace configuration file of namespace1 file and update
Always run namespace.yaml followed by networkPolicy.yaml
So we cannot keep our pods isolated just for cluster as there will be external traffic should be allowed it may be health check IP’s ,Uptime Checks etc
which can be done using allowing CIDR blocks of address in the ingress block.
These are some of the instances in which I have illustrated how we can use Networkpolicies and many wide range of activities we can try out in this space
For more info refer Link1 and Link2
without out these also if we need to setup any application it will work seamlessly but implementing this will act as a added security.
Thank you
