Declare Network Policy

    Note: This section links to third party projects that provide functionality required by Kubernetes. The Kubernetes project authors aren’t responsible for these projects, which are listed alphabetically. To add a project to this list, read the content guide before submitting a change.

    You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using or you can use one of these Kubernetes playgrounds:

    Your Kubernetes server must be at or later than version v1.8. To check the version, enter kubectl version.

    Make sure you’ve configured a network provider with network policy support. There are a number of network providers that support NetworkPolicy, including:

    Create an nginx deployment and expose it via a service

    To see how Kubernetes network policy works, start off by creating an nginx Deployment.

    1. deployment.apps/nginx created
      1. service/nginx exposed

      The above commands create a Deployment with an nginx Pod and expose the Deployment through a Service named nginx. The nginx Pod and Deployment are found in the default namespace.

      1. kubectl get svc,pod
      1. NAME                        CLUSTER-IP    EXTERNAL-IP   PORT(S)    AGE
      2. service/kubernetes          10.100.0.1    <none>        443/TCP    46m
      3. service/nginx               10.100.0.16   <none>        80/TCP     33s
      5. NAME                        READY         STATUS        RESTARTS   AGE

      You should be able to access the new nginx service from other Pods. To access the nginx Service from another Pod in the default namespace, start a busybox container:

      In your shell, run the following command:

      1. wget --spider --timeout=1 nginx
      1. Connecting to nginx (10.100.0.16:80)
      2. remote file exists

      Limit access to the nginx service

      To limit the access to the nginx service so that only Pods with the label access: true can query it, create a NetworkPolicy object as follows:

      1. apiVersion: networking.k8s.io/v1
      2. kind: NetworkPolicy
      3. metadata:
      4.   name: access-nginx
      5. spec:
      6.     matchLabels:
      7.       app: nginx
      9.   - from:
      10.     - podSelector:
      11.         matchLabels:
      12.           access: "true"

      Note: NetworkPolicy includes a podSelector which selects the grouping of Pods to which the policy applies. You can see this policy selects Pods with the label app=nginx. The label was automatically added to the Pod in the nginx Deployment. An empty podSelector selects all pods in the namespace.

      Use kubectl to create a NetworkPolicy from the above nginx-policy.yaml file:

      1. kubectl apply -f https://k8s.io/examples/service/networking/nginx-policy.yaml
      1. networkpolicy.networking.k8s.io/access-nginx created

      Test access to the service when access label is not defined

      When you attempt to access the nginx Service from a Pod without the correct labels, the request times out:

      In your shell, run the command:

      1. wget --spider --timeout=1 nginx
      1. Connecting to nginx (10.100.0.16:80)
      2. wget: download timed out

      You can create a Pod with the correct labels to see that the request is allowed:

      1. kubectl run busybox --rm -ti --labels="access=true" --image=busybox:1.28 -- /bin/sh
      1. wget --spider --timeout=1 nginx
      2. remote file exists