DEV Community

Cover image for Network Policy in Kubernetes: A Comprehensive Guide for DevOps
Avesh
Avesh

Posted on

Network Policy in Kubernetes: A Comprehensive Guide for DevOps

#kubernetes #network #100daysofcode #beginners

Introduction

Network Policies are Kubernetes resources that control pod-to-pod communication within a cluster. They act as a firewall, enabling fine-grained control over how pods communicate with each other and external endpoints.

Key Concepts

Pod Selection

Network policies use labels to select pods and define rules. Two key selectors:

  • podSelector: Defines which pods the policy applies to
  • namespaceSelector: Filters pods based on their namespace

Policy Types

  • Ingress: Controls incoming traffic
  • Egress: Controls outgoing traffic

Default Behavior

By default, pods accept traffic from any source. Once a Network Policy selects a pod, it denies all traffic not explicitly allowed by that policy.

Common Network Policy Patterns

1. Deny All Traffic 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: prod
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
Enter fullscreen mode Exit fullscreen mode

2. Allow Traffic from Specific Namespace 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-dev
  namespace: prod
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          environment: dev
Enter fullscreen mode Exit fullscreen mode

3. Allow Specific Port Access 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-api-access
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
  - Ingress
  ingress:
  - ports:
    - protocol: TCP
      port: 8080
    from:
    - podSelector:
        matchLabels:
          role: frontend
Enter fullscreen mode Exit fullscreen mode

4. Allow External Traffic 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-external-traffic
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
Enter fullscreen mode Exit fullscreen mode

Best Practices

1. Isolation Strategy

  • Start with deny-all policies
  • Gradually add allow rules based on requirements
  • Use namespaces for logical grouping
  • Label pods consistently

2. Security Considerations

  • Implement least privilege access
  • Regular audit of network policies
  • Document policy intentions
  • Use network policy logs for troubleshooting

3. Performance Impact

  • Minimize complex selectors
  • Use efficient CIDR blocks
  • Regular monitoring of network policy performance
  • Consider CNI plugin capabilities

Troubleshooting Guide

Common Issues

  1. Policy Not Applied

    • Verify CNI plugin supports Network Policies
    • Check label selectors match intended pods
    • Confirm policy is in correct namespace

  2. Unexpected Blocking

    • Review all policies affecting the pod
    • Check for conflicting rules
    • Verify namespace labels
    • Test with temporary allow-all policy

Debugging Commands 

# List all network policies
kubectl get networkpolicy --all-namespaces

# Describe specific policy
kubectl describe networkpolicy <policy-name> -n <namespace>

# Check pod labels
kubectl get pods --show-labels

# Verify pod connectivity
kubectl exec -it <pod-name> -- wget -qO- http://<service-name>
Enter fullscreen mode Exit fullscreen mode

Advanced Configurations

1. Combining Multiple Rules 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: complex-policy
spec:
  podSelector:
    matchLabels:
      app: web
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          environment: prod
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 80
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          environment: prod
    ports:
    - protocol: TCP
      port: 5432
Enter fullscreen mode Exit fullscreen mode

2. Using Multiple Port Ranges 

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: multi-port-policy
spec:
  podSelector:
    matchLabels:
      app: service
  policyTypes:
  - Ingress
  ingress:
  - ports:
    - protocol: TCP
      port: 80
    - protocol: TCP
      port: 443
    - protocol: UDP
      port: 53
Enter fullscreen mode Exit fullscreen mode

Monitoring and Compliance

Tools and Metrics

  • Network Policy Advisor
  • Calico Network Policy Logs
  • Prometheus metrics for policy evaluation
  • Regular compliance audits

Best Practices for Production

  1. Version control all network policies
  2. Implement change management process
  3. Regular security reviews
  4. Automated policy testing
  5. Documentation of policy intentions

Conclusion

Network Policies are essential for securing Kubernetes clusters. Proper implementation requires understanding of pod networking, careful planning, and regular maintenance. Start with basic policies and gradually implement more complex rules based on security requirements.

Top comments (0)

Read next

dm8ry profile image

Deploying a MongoDB Collection Generator on Kubernetes

Dmitry Romanoff -

hkp22 profile image

Writing Clean and Efficient JavaScript: 10 Best Practices Every Developer Should Know

Harish Kumar -

thisweekinjavascript profile image

Angular 19 is Here, Next.js From China, NEWEST JavaScript Engine and more

James -

thenjdevopsguy profile image

What's A WIT (Wasm Interface Type): Quickstart

Michael Levan -