0
0
Kubernetesdevops~10 mins

Network policies for traffic control in Kubernetes - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Network policies for traffic control
Define NetworkPolicy YAML
Apply NetworkPolicy to Namespace
Kubernetes enforces rules
Pods allowed or denied traffic
Traffic flows controlled as per policy
This flow shows how a network policy is defined, applied, and enforced to control pod traffic in Kubernetes.
Execution Sample
Kubernetes
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-nginx
spec:
  podSelector:
    matchLabels:
      app: nginx
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: frontend
This NetworkPolicy allows ingress traffic to pods labeled 'app: nginx' only from pods labeled 'role: frontend'.
Process Table
StepActionTarget PodsTraffic SourceResult
1Define NetworkPolicy YAMLPods with label app=nginxPods with label role=frontendPolicy created but not applied yet
2Apply NetworkPolicy to NamespacePods with label app=nginxPods with label role=frontendPolicy active, Kubernetes starts enforcing
3Traffic attempt from pod with role=frontendPods with label app=nginxPod role=frontendAllowed: matches ingress rule
4Traffic attempt from pod without role=frontendPods with label app=nginxPod without role=frontendDenied: no matching ingress rule
5Traffic attempt to pod without app=nginx labelPods without app=nginxAny podAllowed: policy does not select these pods
6No other policies presentPods with app=nginxOther podsDenied: default deny all except allowed
7End--Traffic controlled as per policy rules
💡 Execution stops after all traffic attempts are evaluated against the policy rules.
Status Tracker
VariableStartAfter Step 2After Step 3After Step 4Final
NetworkPolicy ActiveFalseTrueTrueTrueTrue
Traffic Allowed to app=nginx from role=frontendN/AN/AYesYesYes
Traffic Allowed to app=nginx from other podsN/AN/AN/ANoNo
Key Moments - 3 Insights
Why is traffic from pods without the 'role=frontend' label denied to 'app=nginx' pods?
Because the NetworkPolicy ingress rule only allows traffic from pods labeled 'role=frontend' (see execution_table step 4). Traffic from other pods does not match the rule and is denied.
Why do pods without the 'app=nginx' label not get affected by this NetworkPolicy?
The policy selects pods with label 'app=nginx' only (execution_table step 5). Pods without this label are not selected, so the policy does not apply to them and their traffic is not restricted.
What happens if no NetworkPolicy is applied in a namespace?
By default, all traffic is allowed. Applying a NetworkPolicy restricts traffic to only what is explicitly allowed (execution_table step 6 shows default deny behavior after policy applied).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, at which step does Kubernetes start enforcing the NetworkPolicy?
AStep 3
BStep 1
CStep 2
DStep 4
💡 Hint
Check the 'Action' and 'Result' columns in execution_table rows for when policy becomes active.
According to the variable tracker, what is the value of 'Traffic Allowed to app=nginx from other pods' after step 4?
AYes
BNo
CN/A
DUnknown
💡 Hint
Look at the 'After Step 4' column for that variable in variable_tracker.
If we add another ingress rule allowing traffic from pods labeled 'role=backend', what would change in the execution table?
ATraffic from 'role=backend' pods would be allowed in step 4
BTraffic from 'role=frontend' pods would be denied
CPods without 'app=nginx' label would be denied traffic
DNo change in traffic rules
💡 Hint
Consider how ingress rules affect traffic sources in execution_table step 4.
Concept Snapshot
NetworkPolicy controls pod traffic in Kubernetes.
Define YAML with podSelector and ingress/egress rules.
Apply policy to namespace to enforce rules.
Only traffic matching rules is allowed; others denied.
Pods not selected by policy are unaffected.
Default deny applies when policy exists.
Full Transcript
Network policies in Kubernetes let you control which pods can talk to each other. You write a YAML file that selects pods by labels and defines rules for allowed traffic. When you apply this policy to a namespace, Kubernetes enforces it. Traffic from pods matching the allowed labels can reach the selected pods. Traffic from others is blocked. Pods not selected by the policy are not affected. Without any policy, all traffic is allowed. This visual trace shows defining, applying, and enforcing a policy that allows only pods labeled 'role=frontend' to access pods labeled 'app=nginx'. Traffic from other pods is denied. This helps secure communication inside your cluster.