Kubernetes Network Policy Recipes
This repository contains various use cases of Kubernetes Network Policies and sample YAML files to leverage in your setup. If you ever wondered how to drop/restrict traffic to applications running on Kubernetes, read on.
Easiest way to try out Network Policies is to create a new Google Kubernetes Engine cluster. Applying Network Policies on your existing cluster can disrupt the networking. At the time of writing, most cloud providers do not provide built-in network policy support.
If you are not familiar with Network Policies at all, I recommend reading my Securing Kubernetes Cluster Networking article first.
Before you begin
I really recommend watching my KubeCon talk on Network Policies if you want to get a good understanding of this feature. It will help you understand this repo better.
- DENY all traffic to an application
- LIMIT traffic to an application
- ALLOW all traffic to an application
- DENY all non-whitelisted traffic in the current namespace
- DENY all traffic from other namespaces (a.k.a. LIMIT access to the current namespace)
- ALLOW traffic to an application from all namespaces
- ALLOW all traffic from a namespace
- ALLOW traffic from some pods in another namespace
Serving External Traffic
- ALLOW traffic only to certain port numbers of an application
- ALLOW traffic from apps using multiple selectors
Controlling Outbound (Egress) Traffic
🔥 🆕 🔥
- DENY egress traffic from an application
- DENY all non-whitelisted egress traffic in a namespace
🔜LIMIT egress traffic from an application to some pods 🔜ALLOW traffic only to Pods in a namespace
- LIMIT egress traffic to the cluster (DENY external egress traffic)
Created by Ahmet Alp Balkan (@ahmetb).
Copyright 2017, Google Inc. Distributed under Apache License Version 2.0 ,see LICENSE for details.
Disclaimer: This is not an official Google product.