-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path29-NETWORK Policy
82 lines (68 loc) · 2.01 KB
/
29-NETWORK Policy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
--------------------------------------------------------------------------
NETWORK Policy
by default any pod in cluster can communicate with any other pod in cluster on all ports but if we cant change the ports that a pod can accept or send traffic we create a netwrok policy and applied to a pod.
example network policy file to allow ingress traffic on port 3306 cat network-policy-3306.yaml -
apiVersion: networking.k8.io/v1
kind: NetworkPolicy
metadata:
name: db-policy
spec:
podSelector:
matchLabels:
role: db <this policy is applied to all pods that contains tags as role: db>
policyTypes:
- ingress
ingress:
- from:
- podSelector:
matchLabels:
name: api-pod
ports:
- portocol: TCP
port: 3306
kubectl create -f network-policy-3306.yaml
command to see the network policies: kubectl get netpol
command to see the pods with labels : kubectl get pods -l name=payroll
the above files says that allow ingress traffic on port 3306 to pod rold: db from pod name: api-pod
Create a network policy to allow traffic from the Internal application only to the payroll-service and db-service.
Policy Name: internal-policy
Policy Type: Egress
Egress Allow: payroll
Payroll Port: 8080
Egress Allow: mysql
MySQL Port: 3306
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: internal-policy
namespace: default
spec:
podSelector:
matchLabels:
name: internal
policyTypes:
- Egress
- Ingress
ingress:
- {}
egress:
- to:
- podSelector:
matchLabels:
name: mysql
ports:
- protocol: TCP
port: 3306
- to:
- podSelector:
matchLabels:
name: payroll
ports:
- protocol: TCP
port: 8080
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
Note: We have also allowed Egress traffic to TCP and UDP port. This has been added to ensure that the internal DNS resolution works from the internal pod. Remember: The kube-dns service is exposed on port 53