0
0
Kubernetesdevops~10 mins

Ingress and egress rules in Kubernetes - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Ingress and egress rules
Start: Pod wants to communicate
Check Egress Rules
Send Out
Incoming Traffic
Check Ingress Rules
Deliver
End Communication
Traffic from pods first passes egress rules to allow or block outgoing connections. Incoming traffic passes ingress rules to allow or block access to pods.
Execution Sample
Kubernetes
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-web
spec:
  podSelector:
    matchLabels:
      role: web
  ingress:
  - from:
    - ipBlock:
        cidr: 10.0.0.0/24
This NetworkPolicy allows incoming traffic to pods with label role=web only from IPs in 10.0.0.0/24 subnet.
Process Table
StepTraffic DirectionSource IPDestination PodRule CheckedAllowed?Action
1EgressPod AExternal IP 8.8.8.8Egress rule: allow allYesSend Out
2IngressIP 10.0.0.5Pod with role=webIngress rule: allow from 10.0.0.0/24YesDeliver
3IngressIP 192.168.1.10Pod with role=webIngress rule: allow from 10.0.0.0/24NoDrop Packet
4EgressPod BExternal IP 192.168.1.10Egress rule: allow allYesSend Out
5IngressIP 10.0.0.50Pod without role=webNo ingress rule matchesNoDrop Packet
6EgressPod CExternal IP 10.0.0.5Egress rule: deny allNoBlock Traffic
💡 Traffic is either allowed or blocked based on matching ingress and egress rules.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4After Step 5After Step 6
Traffic StatusPendingSent OutDeliveredDroppedSent OutDroppedBlocked
Source IPPod APod A10.0.0.5192.168.1.10Pod B10.0.0.50Pod C
Destination Pod8.8.8.88.8.8.8role=webrole=web192.168.1.10no role=web10.0.0.5
Key Moments - 3 Insights
Why is traffic from IP 192.168.1.10 to a pod with role=web dropped?
Because the ingress rule only allows traffic from 10.0.0.0/24 subnet, as shown in execution_table row 3 where Allowed? is No.
What happens if there is no ingress rule matching the incoming traffic?
The traffic is dropped by default, as seen in execution_table row 5 where no ingress rule matches and action is Drop Packet.
Why is egress traffic from Pod C blocked?
Because the egress rule denies all outgoing traffic for Pod C, shown in execution_table row 6 with Allowed? No and action Block Traffic.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the action taken at step 3 for incoming traffic from IP 192.168.1.10?
ADeliver to pod
BDrop Packet
CSend Out
DBlock Traffic
💡 Hint
Check the 'Action' column in execution_table row 3.
At which step does egress traffic get blocked?
AStep 2
BStep 4
CStep 6
DStep 1
💡 Hint
Look for 'Block Traffic' in the 'Action' column of execution_table.
If the ingress rule allowed all IPs, what would change at step 5?
ATraffic would be delivered
BTraffic would be blocked
CTraffic would be dropped
DNo change
💡 Hint
Refer to execution_table row 5 where traffic is dropped due to no matching ingress rule.
Concept Snapshot
Ingress and egress rules control pod network traffic.
Egress rules filter outgoing traffic from pods.
Ingress rules filter incoming traffic to pods.
Traffic allowed by rules passes; else it is blocked or dropped.
Rules use selectors and IP blocks to specify allowed sources/destinations.
Full Transcript
Ingress and egress rules in Kubernetes control network traffic to and from pods. When a pod sends traffic out, egress rules check if the traffic is allowed. If allowed, the traffic goes out; if not, it is blocked. Incoming traffic to pods is checked against ingress rules. If the source IP matches allowed rules, traffic is delivered; otherwise, it is dropped. This example shows traffic from different IPs and pods being allowed or blocked based on these rules. Understanding these rules helps secure pod communication by controlling who can talk to whom.