Kubernetesdevops~5 mins

Network policies for security in Kubernetes - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Network policies control how groups of pods communicate with each other and with other network endpoints. They help keep your Kubernetes applications safe by limiting which pods can talk to which, reducing the risk of unwanted access.

When you want to allow only specific pods to access a database pod to protect sensitive data.

When you need to block all incoming traffic to a pod except from trusted pods in the same namespace.

When you want to restrict external access to only certain services in your cluster.

When you want to isolate different teams' applications running in the same Kubernetes cluster.

When you want to enforce security rules that prevent pods from communicating with unknown or untrusted pods.

Config File - network-policy.yaml

network-policy.yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 80

This file defines a NetworkPolicy named allow-frontend-to-backend in the default namespace.

The podSelector selects pods with label app: backend to apply the policy to.

The policyTypes field specifies this policy controls incoming traffic (Ingress).

The ingress rule allows traffic only from pods labeled app: frontend on TCP port 80.

Commands

This command creates the network policy in the Kubernetes cluster to restrict backend pods to only accept traffic from frontend pods on port 80.

Terminal

kubectl apply -f network-policy.yaml

Expected OutputExpected

networkpolicy.networking.k8s.io/allow-frontend-to-backend created

This command retrieves the details of the created network policy to verify it was applied correctly.

Terminal

kubectl get networkpolicy allow-frontend-to-backend -o yaml

Expected OutputExpected

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-frontend-to-backend namespace: default spec: ingress: - from: - podSelector: matchLabels: app: frontend ports: - protocol: TCP port: 80 podSelector: matchLabels: app: backend policyTypes: - Ingress

→

-o yaml - Outputs the network policy details in YAML format for easy reading

This command shows a human-readable description of the network policy, including which pods it selects and the allowed traffic rules.

Terminal

kubectl describe networkpolicy allow-frontend-to-backend

Expected OutputExpected

Name: allow-frontend-to-backend Namespace: default Labels: <none> Annotations: <none> PodSelector: app=backend PolicyTypes: Ingress Ingress: From: PodSelector: app=frontend Ports: Protocol: TCP Port: 80

Key Concept

If you remember nothing else from this pattern, remember: network policies let you control which pods can talk to each other to improve security.

Common Mistakes

Not specifying podSelector in the network policy spec

Without podSelector, the policy does not apply to any pods, so no traffic is restricted.

Always include podSelector to target the pods you want to protect.

Forgetting to specify policyTypes when creating ingress or egress rules

Kubernetes defaults to no traffic restrictions unless policyTypes are set, so rules may not take effect.

Always set policyTypes to Ingress, Egress, or both depending on your rules.

Allowing traffic from all pods by using an empty from field

This defeats the purpose of restricting traffic and leaves pods open to all connections.

Specify podSelector or namespaceSelector in from to limit allowed sources.

Summary

Create a network policy YAML file that selects target pods and defines allowed traffic sources and ports.

Apply the network policy using kubectl apply to enforce traffic restrictions.

Verify the policy with kubectl get and kubectl describe commands to ensure it is correctly applied.