🏷️ Define and enforce Network Policies

🏷️ Define and enforce Network Policies#

Network Policy Rules

Network Policy Rules: Ingress and Egress

Kubernetes Network Policies define communication rules using ingress (incoming) and egress (outgoing) specifications. These rules are unidirectional and must be explicitly defined for both directions to allow bidirectional communication.

Ingress Rules

Ingress rules control traffic to a pod. By default, all pods accept traffic from any source. To restrict this:

  • Use podSelector to target pods by labels.

  • Define allowed sources using:

    • podSelector: Allow traffic from pods with specific labels (e.g., role: frontend).

    • namespaceSelector: Restrict to pods in labeled namespaces (e.g., project: myapp).

    • ipBlock: Allow traffic from specific CIDR ranges (e.g., 192.168.0.0/16).

Egress Rules

Egress rules control traffic from a pod. By default, pods can connect to any destination. To secure outbound traffic:

  • Apply a default-deny egress policy to isolate pods.

  • Allow connections to:

    • Specific ipBlock ranges (e.g., 10.0.0.0/24).

    • Pods in certain namespaces via namespaceSelector.

    • Labeled pods using podSelector. Always allow DNS access (port 53) unless scoped to specific DNS services like CoreDNS in kube-system.