0
0
Kubernetesdevops~5 mins

Ingress and egress rules in Kubernetes - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Ingress and egress rules control the traffic coming into and going out of your Kubernetes pods. They help keep your applications safe by allowing only the right network connections.
When you want to allow web traffic to reach your app but block other unwanted traffic.
When your app needs to connect to a database outside the cluster and you want to allow only that connection.
When you want to block all internet access from your pods except to specific services.
When you want to limit which pods can talk to each other inside the cluster.
When you want to monitor or control network traffic for security or compliance.
Config File - network-policy.yaml
network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-web-ingress
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: my-app
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 0.0.0.0/0
    ports:
    - protocol: TCP
      port: 80
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5432

This NetworkPolicy allows incoming traffic on port 80 (HTTP) from anywhere to pods labeled app: my-app in the default namespace. It also allows outgoing traffic from these pods to IP addresses in the 10.0.0.0/24 range on port 5432 (commonly used by PostgreSQL).

podSelector selects the pods this policy applies to. policyTypes defines that both ingress and egress rules are set. ingress and egress sections define allowed incoming and outgoing traffic respectively.

Commands
This command applies the network policy to your Kubernetes cluster, creating rules for ingress and egress traffic for the selected pods.
Terminal
kubectl apply -f network-policy.yaml
Expected OutputExpected
networkpolicy.networking.k8s.io/allow-web-ingress created
This command shows the details of the applied network policy to verify it is created correctly.
Terminal
kubectl get networkpolicy allow-web-ingress -o yaml
Expected OutputExpected
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-web-ingress namespace: default spec: podSelector: matchLabels: app: my-app policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 0.0.0.0/0 ports: - protocol: TCP port: 80 egress: - to: - ipBlock: cidr: 10.0.0.0/24 ports: - protocol: TCP port: 5432
-o yaml - Shows the full details of the network policy in YAML format
This command provides a human-readable summary of the network policy, showing which pods it applies to and the allowed ingress and egress rules.
Terminal
kubectl describe networkpolicy allow-web-ingress
Expected OutputExpected
Name: allow-web-ingress Namespace: default Labels: <none> Annotations: <none> PodSelector: app=my-app PolicyTypes: Ingress, Egress Ingress: From: IPBlock: 0.0.0.0/0 Ports: TCP:80 Egress: To: IPBlock: 10.0.0.0/24 Ports: TCP:5432
Key Concept

If you remember nothing else from this pattern, remember: ingress rules control incoming traffic to pods, egress rules control outgoing traffic from pods.

Common Mistakes
Not specifying podSelector in the NetworkPolicy
Without podSelector, the policy does not apply to any pods, so no traffic is controlled.
Always include podSelector to target the pods you want to control.
Assuming NetworkPolicy allows all traffic by default
When any NetworkPolicy selects a pod, all other traffic is blocked unless explicitly allowed.
Explicitly allow all needed ingress and egress traffic in your policy.
Using incorrect port numbers or protocols
Traffic will be blocked if ports or protocols do not match the actual service ports.
Double-check port numbers and protocols match your application requirements.
Summary
Create a NetworkPolicy YAML file to define ingress and egress rules for selected pods.
Apply the policy using kubectl apply to enforce traffic rules.
Verify the policy with kubectl get and kubectl describe commands.