Hello everyone, welcome back to my blog series CK 2024 and today, we are diving into an essential topic in Kubernetes: Network Policies. This is the 26th entry in our series, and I truly appreciate your support thus far. In this post, we'll explore what Network Policies are, how to implement them, and why they are critical for securing your Kubernetes clusters.
Why Network Policies?
Before we delve into the specifics of Network Policies, let's understand the network flow and why we need such policies. Imagine a three-tier web application with a web tier, application tier, and database tier. The web tier handles user requests over ports 80 (HTTP) and 443 (HTTPS). The application tier processes business logic, and the database tier runs a database server, such as MySQL, on port 3306.
In Kubernetes, by default, all pods can communicate with each other. This open communication can lead to security vulnerabilities. For instance, the front-end application should not directly access the database tier; only the back-end should have this privilege. To enforce these rules and restrict unnecessary access, we implement Network Policies.
Network Policies in Kubernetes
Network Policies in Kubernetes are rules that define how pods communicate with each other and other network endpoints. They provide a way to control traffic flow at the IP address or port level. These policies are crucial for securing your application by ensuring that only authorized pods can communicate with each other.
Implementing Network Policies
Let's consider a scenario where we have a Kubernetes cluster with three deployments: front-end, back-end, and database, each exposed through services. Here’s a step-by-step guide to implementing Network Policies:
- Set Up Your Cluster First, ensure your cluster is running with a CNI (Container Network Interface) plugin that supports Network Policies. For this example, we'll use Weave as our CNI plugin.
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
networking:
disableDefaultCNI: true
nodes:
- role: control-plane
- role: worker
- role: worker
Create the cluster with the following command:
kind create cluster --config kind-config.yaml
Install Weave CNI:
kubectl apply -f "https://cloud.weave.works/k8s/v1.8/net.yaml"
- Deploy Applications Deploy the front-end, back-end, and database applications along with their services.
apiVersion: v1
kind: Pod
metadata:
name: frontend
labels:
app: frontend
spec:
containers:
- name: frontend
image: nginx
---
apiVersion: v1
kind: Service
metadata:
name: frontend
spec:
ports:
- port: 80
selector:
app: frontend
---
apiVersion: v1
kind: Pod
metadata:
name: backend
labels:
app: backend
spec:
containers:
- name: backend
image: nginx
---
apiVersion: v1
kind: Service
metadata:
name: backend
spec:
ports:
- port: 80
selector:
app: backend
---
apiVersion: v1
kind: Pod
metadata:
name: database
labels:
app: database
spec:
containers:
- name: database
image: mysql
env:
- name: MYSQL_ROOT_PASSWORD
value: password
---
apiVersion: v1
kind: Service
metadata:
name: database
spec:
ports:
- port: 3306
selector:
app: database
Apply these manifests:
kubectl apply -f manifests.yaml
- Create Network Policies Now, let's create a Network Policy to restrict access so that only the back-end can communicate with the database.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-to-database
spec:
podSelector:
matchLabels:
app: database
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: backend
Apply the Network Policy:
kubectl apply -f network-policy.yaml
Verifying Network Policies
To verify the Network Policies, you can exec into the front-end pod and attempt to connect to the database. This connection should be denied:
kubectl exec -it frontend -- /bin/bash
curl database:3306
Similarly, the back-end should be able to connect to the database:
kubectl exec -it backend -- /bin/bash
curl database:3306
Conclusion
In this blog post, we discussed the importance of network policies in Kubernetes and how they help secure your applications. We also provided a step-by-step guide to implementing them. Network Policies are vital for maintaining a secure and controlled communication flow within your Kubernetes clusters.
Stay tuned for our next topic on storage. Until next time, happy coding!
For further reference, check out the detailed YouTube video here:
Top comments (0)