DEV Community

Cover image for Network Policy in Kubernetes
Salaudeen O. Abdulrasaq
Salaudeen O. Abdulrasaq

Posted on

8

Network Policy in Kubernetes

Secure communication between pods is critical in maintaining secure deployments. In this post, I will demonstrate how Kubernetes Network Policy can enforce fine-grained security controls in Kubernetes.

I will demonstrate how to set up and enforce network policies in a Minikube environment, ensuring a MYSQL pod in one namespace cannot be accessed by a client pod in another namespace after applying the policy.

Prerequisites

  • A working installation of Minikube
  • Basic Knowledge of Kubernetes concepts and resources
  • 'kubectl' configured to interact with the Minikube cluster.

Start Minikube

setup the Kubernetes environment with Minikube
minikube start
Start Minikube

Create Namespaces and Deploy Pods

Create two namespaces: database namespace; for the MySQL pod and client namespace; for the client pod connecting to the MYSQL Database.

Deploy a MYSQL pod in the 'database' namespace:



kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: mysql
  namespace: database
  labels:
    app: mysql
spec:
  containers:
  - name: mysql
    image: mysql:5.7
    env:
    - name: MYSQL_ROOT_PASSWORD
      value: password
EOF


Enter fullscreen mode Exit fullscreen mode

Deploy a Client pod in the client namespace:



kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: client
  namespace: client
  labels:
    app: client
spec:
  containers:
  - name: client
    image: mysql:5.7
    command: ["sleep", "3600"]
EOF


Enter fullscreen mode Exit fullscreen mode

Image description

Test Connectivity Before Apply Network Policy

Verify that the client pod can connect to the MYSQL pod:
kubectl exec -it client -n client -- sh

Connect to MySQL:
mysql -h <pod ip address> -u root -p

Image description

Implementing Kubernetes Network Policy

Now, we can create a Kubernetes Network Policy to deny access from the client namespace to the database namespace.

I prefer using the Cilium Kubernetes Network Policy Generator. This tool provides a user-friendly UI to interpret policies at a glance and create them in a few clicks. It can be used to develop Kubernetes Network policies and Cilium Network Policy

Cilium offers a more robust and feature-rich alternative to Kubernetes' built-in network policies, enabling advanced security features like deep packet inspection and layer 7 (Application Layer) policies.

Generate a Kubernetes Network Policy with Cilium Policy Generator

How to use the UI policy Generator



kubectl --apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-client-access
namespace: database
spec:
podSelector:
matchLabels:
app: mysql
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
EOF

Enter fullscreen mode Exit fullscreen mode




Test Connectivity After Applying Network Policy

Verify that the client pod can no longer connect to the MySQL pod:
kubectl exec -it -n client -- sh
mysql -h <pod ip address> -u root -p

Image description

By implementing Kubernetes Network Policies, we can effectively control the communication between pods across namespaces, enhancing the security of our Kubernetes cluster. For more advanced and robust network policies, technologies like cilium can be used.

Billboard image

Deploy and scale your apps on AWS and GCP with a world class developer experience

Coherence makes it easy to set up and maintain cloud infrastructure. Harness the extensibility, compliance and cost efficiency of the cloud.

Learn more

Top comments (1)

Collapse
 
allison_okikiola_a77b1190 profile image
Allison Okikiola

This is really helpful, thanks Abdulrasaq

Billboard image

Create up to 10 Postgres Databases on Neon's free plan.

If you're starting a new project, Neon has got your databases covered. No credit cards. No trials. No getting in your way.

Try Neon for Free →

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay