Kubernetesdevops~5 mins

Network policies for traffic control in Kubernetes - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes, you want to control which parts of your app can talk to each other inside your Kubernetes cluster. Network policies help you block or allow traffic between pods to keep your app safe and organized.

When you want to allow only specific pods to access a database pod.

When you want to block all traffic to a sensitive backend service except from a frontend pod.

When you want to limit communication between different teams' apps running in the same cluster.

When you want to test how your app behaves with restricted network access.

When you want to improve security by reducing unnecessary network connections.

Config File - network-policy.yaml

network-policy.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 80

This file creates a network policy named allow-frontend-to-backend in the default namespace.

The podSelector selects pods with label app: backend, meaning this policy applies to backend pods.

The policyTypes set to Ingress means it controls incoming traffic to these pods.

The ingress rule allows traffic only from pods labeled app: frontend on TCP port 80.

This blocks all other incoming traffic to backend pods except from frontend pods on port 80.

Commands

This command applies the network policy to the cluster, creating the rule that controls traffic to backend pods.

Terminal

kubectl apply -f network-policy.yaml

Expected OutputExpected

networkpolicy.networking.k8s.io/allow-frontend-to-backend created

This command shows the details of the network policy to verify it was created correctly.

Terminal

kubectl get networkpolicy allow-frontend-to-backend -o yaml

Expected OutputExpected

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-frontend-to-backend namespace: default spec: ingress: - from: - podSelector: matchLabels: app: frontend ports: - port: 80 protocol: TCP podSelector: matchLabels: app: backend policyTypes: - Ingress

→

-o yaml - Outputs the network policy details in YAML format for easy reading

This command gives a human-readable summary of the network policy and its rules.

Terminal

kubectl describe networkpolicy allow-frontend-to-backend

Expected OutputExpected

Name: allow-frontend-to-backend Namespace: default Labels: <none> Annotations: <none> PodSelector: app=backend PolicyTypes: Ingress Ingress: From: PodSelector: app=frontend Ports: TCP:80

Key Concept

If you remember nothing else from this pattern, remember: network policies let you control which pods can talk to which pods inside your Kubernetes cluster.

Common Mistakes

Not labeling pods correctly to match the network policy selectors

The network policy won't apply to any pods if labels don't match, so traffic won't be controlled as expected.

Make sure pods have the exact labels used in the network policy's podSelector and from podSelector.

Assuming network policies allow traffic by default

When any network policy selects a pod, all other traffic is blocked unless explicitly allowed.

Always define all needed ingress and egress rules for pods selected by network policies.

Applying network policies in the wrong namespace

Network policies only affect pods in the namespace they are created in.

Create network policies in the same namespace as the pods you want to control.

Summary

Create a network policy YAML file to define allowed traffic between pods.

Apply the network policy using kubectl apply to enforce traffic rules.

Verify the policy with kubectl get and kubectl describe commands.