azure kubernetes network policy to allow some external hosts only for a pod

Question

Let's say I've created a cluster with a manifest like:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
        use_db: "true"
        backend: "true"
    spec:
      nodeSelector:
        "beta.kubernetes.io/os": linux
      containers:
      - name: my-app
        image: <...>
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 250m
            memory: 256Mi
        ports:
        - containerPort: 80
        - containerPort: <...>
---
apiVersion: v1
kind: Service
metadata:
  name: my-app
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
  type: LoadBalancer
  ports:
  - port: 80
  selector:
    app: my-app

I've activated the network plugin and network policies. It's working well. But I want to set up some network policies. I found many examples of how to manage traffic between pods, how to allow external traffic and traffic from all single seeds. But I can't understand how to be in my case. That's what I want:

• Deny traffic between all pods inside Kubernetes by default (I can do it).
• Allow external traffic to the pods labeled backend from some foreign subnet to port 80 (but not from internal seeds)
• Allow external traffic exchange with some database (I know it's DNS name and port) for pods with the label use_db

Please, can somebody give an example of the network policy YAML file for this case?

Answer 1

If you specify the spec.podSelector field as empty, the set of pods the network policy matches to all pods in the namespace, blocking all traffic between pods by default. In this case, you must explicitly create network policies whitelisting all communication between the pods.

You can enable a policy like this by applying the following manifest in your Kubernetes cluster (Source):

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress

To allow external traffic to the pods labeled backend from some external subnet to port 80 (but not from internal pods) your NetworkPolicy might look like this:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-backend
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.4.0.0/16
    ports:
    - protocol: TCP
      port: 80

A brief explanation about what is happening here is that we are allowing all connections going to pods with backend label, allowing all connections coming from 0.0.0.0/0 (you may change to a different range) and blocking connections from 10.4.0.0/16 (this is my internal network and you need to change to whatever you have). We are also allowing connections going to port 80 only.

To allow external traffic exchange with some database (I know it's dns name and port) for pods with the label use_db you just need to follow the same logic from the previous example.

Doing this way, your pods can communicate with any server outside your Kubernetes Cluster. We are not blocking egress, only ingress. You just need to point to your DB server inside your application as you do normally.

You can always refer to the documentation and have more details on this matter.