Kubernetesdevops~30 mins

Network policies for security in Kubernetes - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Network policies for security

📖 Scenario: You are managing a Kubernetes cluster for a small company. You want to control which pods can communicate with each other to improve security.

🎯 Goal: Create a Kubernetes NetworkPolicy that allows only pods with a specific label to communicate with each other inside the same namespace.

📋 What You'll Learn

Create a NetworkPolicy YAML manifest named allow-same-label.yaml

The policy should select pods with label role: frontend

Allow ingress traffic only from pods with label role: frontend

Deny all other ingress traffic by default

💡 Why This Matters

🌍 Real World

NetworkPolicies help secure Kubernetes clusters by controlling pod communication, reducing attack surface.

💼 Career

Understanding NetworkPolicies is essential for Kubernetes administrators and DevOps engineers to enforce security best practices.

Progress0 / 4 steps

Create a pod selector with label role: frontend

Create a YAML manifest for a NetworkPolicy named allow-same-label.yaml with a podSelector that selects pods with the label role: frontend. Start with the apiVersion, kind, metadata, and spec fields including the podSelector.

Kubernetes

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-label
spec:
  podSelector:
    matchLabels:
      role: frontend
# Your code here

Need a hint?

Use podSelector with matchLabels to select pods with label role: frontend.

Add ingress rule to allow traffic from pods with label role: frontend

Add an ingress rule under spec that allows traffic only from pods with the label role: frontend. Use from with podSelector inside the ingress rule.

Kubernetes

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-label
spec:
  podSelector:
    matchLabels:
      role: frontend
  ingress:
  # Your code here

Need a hint?

Use ingress with a list containing from that has a podSelector matching role: frontend.

Set policy type to Ingress to deny all other traffic

Add policyTypes under spec and set it to - Ingress to ensure all other ingress traffic is denied by default.

Kubernetes

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-label
spec:
  podSelector:
    matchLabels:
      role: frontend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: frontend
  # Your code here

Need a hint?

Adding policyTypes: [Ingress] tells Kubernetes to deny all ingress traffic except what is allowed.

Apply the NetworkPolicy and verify it

Run the command kubectl apply -f allow-same-label.yaml to apply the NetworkPolicy. Then run kubectl get networkpolicy allow-same-label -o yaml to display the applied policy.

Kubernetes

# Run the apply command below
# Your code here

Need a hint?

Use kubectl apply -f allow-same-label.yaml to create the policy and kubectl get networkpolicy allow-same-label -o yaml to verify it.