# Network policy recipes ## Network policy recipes [You can get stuff like this with Network Policies...](https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/img/1.gif) ![](https://296194292-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLoAqAoOfr7XVUQw7Gff8%2Fuploads%2Fgit-blob-ce43ce4fe8526acd0d664aaa04f789725acfebcb%2F1.gif?alt=media) ## [Kubernetes Network Policy Recipes](https://github.com/ahmetb/kubernetes-network-policy-recipes#kubernetes-network-policy-recipes) This repository contains various use cases of Kubernetes [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) and sample YAML files to leverage in your setup. If you ever wondered how to drop/restrict traffic to applications running on Kubernetes, read on. Easiest way to try out Network Policies is to create a new [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine) cluster. Applying Network Policies on your existing cluster can disrupt the networking. At the time of writing, most cloud providers do not provide built-in network policy support. If you are not familiar with Network Policies at all, I recommend reading my [Securing Kubernetes Cluster Networking](https://ahmet.im/blog/kubernetes-network-policy/) article first. ### [NetworkPolicy Crash Course](https://github.com/ahmetb/kubernetes-network-policy-recipes#networkpolicy-crash-course) NetworkPolicies operate at layer 3 or 4 of OSI model (IP and port level). They are used to control the traffic in(ingress) and out(egress) of pods. Here are some NetworkPolicies gotcha's * ``` An empty selector will match everything. For example `spec.podSelector: {}` will apply the policy to all pods in the current namespace. ``` * ``` Selectors can only select Pods that are in the same namespace as the NetworkPolicies. Eg. `spec.podSelector` of an ingress rule can only select pods in the same namespace the NetworkPolicy is deployed to. ``` * ``` If no NetworkPolicies targets a pod, all traffic to and from the pod is allowed. In other words all traffic are allowed until a policy is applied. ``` * ``` There are no deny rules in NetworkPolicies. NetworkPolicies are deny by default allow explicitly. It's the same as saying "If you're not on the list you can't get in." ``` * ``` If a NetworkPolicies matches a pod but has a null rule, all traffic is blocked. Example of this is a "Deny all traffic policy". ``` ``` spec: podSelector: matchLabels: ... ingress: [] ``` * Rules are chained together. NetworkPolicy are additive. If multiple NetworkPolicies are selecting a pod, their union is evaluated and applied to that pod. #### [Before you begin](https://github.com/ahmetb/kubernetes-network-policy-recipes#before-you-begin) > I really recommend [watching my KubeCon talk on Network Policies](https://www.youtube.com/watch?v=3gGpMmYeEO8) if you want to get a good understanding of this feature. It will help you understand this repo better. * [Create a cluster](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/00-create-cluster/README.md) #### [Basics](https://github.com/ahmetb/kubernetes-network-policy-recipes#basics) * [DENY all traffic to an application](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/01-deny-all-traffic-to-an-application/README.md) * [LIMIT traffic to an application](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/02-limit-traffic-to-an-application/README.md) * [ALLOW all traffic to an application](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/02a-allow-all-traffic-to-an-application/README.md) #### [Namespaces](https://github.com/ahmetb/kubernetes-network-policy-recipes#namespaces) * [DENY all non-whitelisted traffic in the current namespace](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/03-deny-all-non-whitelisted-traffic-in-the-namespace/README.md) * [DENY all traffic from other namespaces](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/04-deny-traffic-from-other-namespaces/README.md) (a.k.a. LIMIT access to the current namespace) * [ALLOW traffic to an application from all namespaces](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/05-allow-traffic-from-all-namespaces/README.md) * [ALLOW all traffic from a namespace](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/06-allow-traffic-from-a-namespace/README.md) * [ALLOW traffic from some pods in another namespace](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/07-allow-traffic-from-some-pods-in-another-namespace/README.md) #### [Serving External Traffic](https://github.com/ahmetb/kubernetes-network-policy-recipes#serving-external-traffic) * [ALLOW traffic from external clients](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/08-allow-external-traffic/README.md) #### [Advanced](https://github.com/ahmetb/kubernetes-network-policy-recipes#advanced) * [ALLOW traffic only to certain port numbers of an application](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/09-allow-traffic-only-to-a-port/README.md) * [ALLOW traffic from apps using multiple selectors](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/10-allowing-traffic-with-multiple-selectors/README.md) #### [Controlling Outbound (Egress) Traffic 🔥🆕🔥](https://github.com/ahmetb/kubernetes-network-policy-recipes#controlling-outbound-egress-traffic-) * [DENY egress traffic from an application](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/11-deny-egress-traffic-from-an-application/README.md) * [DENY all non-whitelisted egress traffic in a namespace](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/12-deny-all-non-whitelisted-traffic-from-the-namespace/README.md) * 🔜 LIMIT egress traffic from an application to some pods * 🔜 ALLOW traffic only to Pods in a namespace * [LIMIT egress traffic to the cluster (DENY external egress traffic)](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Network%20security/Network%20policy%20recipes/14-deny-external-egress-traffic/README.md) #### [Author](https://github.com/ahmetb/kubernetes-network-policy-recipes#author) Created by Ahmet Alp Balkan ([@ahmetb](https://twitter.com/ahmetb)). Copyright 2017, Google Inc. Distributed under Apache License Version 2.0 ,see [LICENSE](https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/LICENSE) for details. Disclaimer: This is not an official Google product.