Kubernetes CKS: What is Network Policy & Example Code

Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours scrolling social media and waste money on things we forget, but won’t spend 30 minutes a day earning certifications that can change our lives.
Master in DevOps, SRE, DevSecOps & MLOps by DevOpsSchool!

Learn from Guru Rajesh Kumar and double your salary in just one year.

If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster. NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network “entities” (we use the word “entity” here to avoid overloading the more common terms such as “endpoints” and “services”, which have specific Kubernetes connotations) over the network. NetworkPolicies apply to a connection with a pod on one or both ends, and are not relevant to other connections.

The entities that a Pod can communicate with are identified through a combination of the following 3 identifiers:

Other pods that are allowed (exception: a pod cannot block access to itself)
Namespaces that are allowed
IP blocks (exception: traffic to and from the node where a Pod is running is always allowed, regardless of the IP address of the Pod or the node)

When defining a pod- or namespace- based NetworkPolicy, you use a selector to specify what traffic is allowed to and from the Pod(s) that match the selector.

Meanwhile, when IP based NetworkPolicies are created, we define policies based on IP blocks (CIDR ranges).

Sample Code – https://github.com/devopsschool-sample-programs/kubernetes-network-policy-recipes

Example Use Cases

Below is a brief list of common use cases for Network Policies. You can find more use case examples with sample manifests at the kubernetes-networkpolicy-tutorial on GitHub.

	# allows backend pods to have incoming traffic from frontend pods and to cassandra namespace
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: backend
	namespace: default
	spec:
	podSelector:
	matchLabels:
	run: backend
	policyTypes:
	- Ingress
	- Egress
	ingress:
	- from:
	- podSelector:
	matchLabels:
	run: frontend
	egress:
	- to:
	- namespaceSelector:
	matchLabels:
	ns: cassandra

view raw backend-db.yaml hosted with ❤ by GitHub

	# allows backend pods to have incoming traffic from frontend pods
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: backend
	namespace: default
	spec:
	podSelector:
	matchLabels:
	run: backend
	policyTypes:
	- Ingress
	ingress:
	- from:
	- podSelector:
	matchLabels:
	run: frontend

view raw backend.yaml hosted with ❤ by GitHub

	# deny all incoming and outgoing traffic from all pods in namespace cassandra
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: cassandra-deny
	namespace: cassandra
	spec:
	podSelector: {}
	policyTypes:
	- Ingress
	- Egress

view raw cassandra-deny.yaml hosted with ❤ by GitHub

	# allows cassandra pods having incoming connection from backend namespace
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: cassandra
	namespace: cassandra
	spec:
	podSelector:
	matchLabels:
	run: cassandra
	policyTypes:
	- Ingress
	ingress:
	- from:
	- namespaceSelector:
	matchLabels:
	ns: default

view raw cassandra.yaml hosted with ❤ by GitHub

	# deny all incoming and outgoing traffic from all pods in namespace default
	# but allow DNS traffic. This way you can do for example: kubectl exec frontend -- curl backend
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: deny
	namespace: default
	spec:
	podSelector: {}
	policyTypes:
	- Egress
	- Ingress
	egress:
	- ports:
	- port: 53
	protocol: TCP
	- port: 53
	protocol: UDP

view raw default-deny-allow-dns.yaml hosted with ❤ by GitHub

	# deny all incoming and outgoing traffic from all pods in namespace default
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: deny
	namespace: default
	spec:
	podSelector: {}
	policyTypes:
	- Egress
	- Ingress

view raw default-deny.yaml hosted with ❤ by GitHub

	allows frontend pods to communicate with backend pods
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: frontend
	namespace: default
	spec:
	podSelector:
	matchLabels:
	run: frontend
	policyTypes:
	- Egress
	egress:
	- to:
	- podSelector:
	matchLabels:
	run: backend

view raw frontend-db.yaml hosted with ❤ by GitHub

	# allows frontend pods to communicate with backend pods
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: frontend
	namespace: default
	spec:
	podSelector:
	matchLabels:
	run: frontend
	policyTypes:
	- Egress
	egress:
	- to:
	- podSelector:
	matchLabels:
	run: backend

view raw frontend.yaml hosted with ❤ by GitHub

	# all outgoing traffic if:
	# (destination namespace label=id=ns1 AND port=80) OR (destination pod label=id=backend in default namespace)
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: example
	namespace: default
	spec:
	podSelector:
	matchLabels:
	id: frontend
	policyTypes:
	- Egress
	egress:
	- to:
	- namespaceSelector:
	matchLabels:
	id: ns1
	ports:
	- protocol: TCP
	port: 80

	- to:
	- podSelector:
	matchLabels:
	id: backend

	---

	# the following two NPs combined/merged are the same as the top one
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: example2a
	namespace: default
	spec:
	podSelector:
	matchLabels:
	id: frontend
	policyTypes:
	- Egress
	egress:
	- to:
	- namespaceSelector:
	matchLabels:
	id: ns1
	ports:
	- protocol: TCP
	port: 80
	---
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: example2b
	namespace: default
	spec:
	podSelector:
	matchLabels:
	id: frontend
	policyTypes:
	- Egress
	egress:
	- to:
	- podSelector:
	matchLabels:
	id: backend

view raw merged.yaml hosted with ❤ by GitHub

Rajesh Kumar

I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I am working at Cotocus. I blog tech insights at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at I reviewed , and SEO strategies at Wizbrand.

Do you want to learn Quantum Computing?

Please find my social handles as below;

Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at PINTEREST
Rajesh Kumar at QUORA
Rajesh Kumar at WIZBRAND

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs: