Managing inbound and outbound network traffic in your namespace with `NetworkPolicies¶
In Kubernetes namespaces provide a mechanism for isolating groups of resources within a single cluster. This also allows to finely manage network traffic, whether it is inbound towards resources deployed in a namespace or whether it is outbound from those resources.
The Kubernetes resource that defines these traffic management rules, or policies, is called NetworkPolicy.
You can list existing NetworkPolicies in a namespace using the following command:
$ oc get netpol
allow-from-openshift-ingress-to-acme-solvers acme.cert-manager.io/http01-solver=true 55d
allow-from-openshift-monitoring <none> 56d
allow-same-namespace <none> 56d
Default network policies¶
A set of network policies is created by default at the namespace inception.
Warning
Default NetworkPolicies should usually not be tempered with... unless you know what you're doing.
By default, the WoK platform does not allow traffic to flow between namespaces nor from the outside of the cluster unless specified by the user.
Important
To filter traffic from outside of the Cluster users have to leverage the Route IP whitelisting feature since, from the cluster perspective, all incoming traffic from the outside will come through ingress pods. However, network policies cannot act at the layer 7 of the OSI model and, as such, cannot see the clients real IP addresses and see the ingresses pods' instead, making them unable to segregate traffic.
allow-same-namespace¶
This default policy allows for namespace internal trafic within pods.
Name: allow-same-namespace
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
PodSelector: <none>
Not affecting egress traffic
Policy Types: Ingress
allow-from-openshift-ingress-to-acme-solvers¶
This default policy allows for ACME challenge pods to be reached from outside of the WoK cluster. Without this, the ACME protocol would not be able to provision TLS certificates for your routes when using the cert-manager operator.
Name: allow-from-openshift-ingress-to-acme-solvers
Spec:
PodSelector: acme.cert-manager.io/http01-solver=true
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
NamespaceSelector: policy-group.network.openshift.io/ingress=
Not affecting egress traffic
Policy Types: Ingress
allow-from-openshift-monitoring¶
This default policy allows for the cluster monitoring infrastructure to access your pods.
Name: allow-from-openshift-monitoring
Namespace: test-webkit
Created on: 2023-05-16 15:38:20 +0200 CEST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: <none> (Allowing the specific traffic to all pods in this namespace)
Allowing ingress traffic:
To Port: <any> (traffic allowed to all ports)
From:
NamespaceSelector: network.openshift.io/policy-group=monitoring
Not affecting egress traffic
Policy Types: Ingress
Creating a network policy¶
You can create NetworkPolicies using either the WebUI or the CLI. The WebUI form provides an easier view on what you're doing, especially for beginners.
Using the CLI, you can create a policy as such:
$ cat << EOF | oc create -f -
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-from-myorg-namespaces
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
myorganization: ""
policyTypes:
- Ingress
EOF
networkpolicy.networking.k8s.io/allow-from-myorg-namespaces created
Policies examples¶
Allow traffic from outside the cluster to your pods (via cluster ingresses)¶
This concerns only HTTP(S) traffic, on TCP ports 80 and 443, incoming for the outside of the WoK platform.
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-from-openshift-ingress
spec:
podSelector: {}
ingress:
- from:
- namespaceSelector:
matchLabels:
policy-group.network.openshift.io/ingress: '' <--- Matches namespaces where ingress pods reside
policyTypes:
- Ingress