How to Allow Traffic Between Pods in Kubernetes
In Kubernetes, pods can communicate by default if they are in the same cluster network. To explicitly allow or restrict traffic between pods, use
NetworkPolicy resources that define rules for allowed ingress and egress traffic between pods.Syntax
A NetworkPolicy resource defines rules to allow or block traffic between pods. It has these main parts:
- podSelector: selects pods the policy applies to.
- policyTypes: specifies if rules apply to
Ingress,Egress, or both. - ingress: rules for incoming traffic.
- egress: rules for outgoing traffic.
yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-pod-traffic
spec:
podSelector:
matchLabels:
app: myapp
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: myapp
egress:
- to:
- podSelector:
matchLabels:
app: myapp
Example
This example NetworkPolicy allows pods with label app: myapp to receive and send traffic only to other pods with the same label. It blocks traffic from or to pods without this label.
yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-myapp-traffic
spec:
podSelector:
matchLabels:
app: myapp
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: myapp
egress:
- to:
- podSelector:
matchLabels:
app: myapp
Output
networkpolicy.networking.k8s.io/allow-myapp-traffic created
Common Pitfalls
- Assuming pods cannot communicate by default: Kubernetes allows pod-to-pod traffic unless restricted by NetworkPolicies.
- Not applying a
podSelectorcorrectly: If the selector matches no pods, the policy has no effect. - Forgetting to specify
policyTypes: Without it, the policy may not apply to ingress or egress as intended. - Using NetworkPolicies requires a network plugin that supports them; some default setups may not enforce policies.
yaml
### Wrong: Missing policyTypes, so ingress rules ignored
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: wrong-policy
spec:
podSelector:
matchLabels:
app: myapp
ingress:
- from:
- podSelector:
matchLabels:
app: myapp
### Right: Specify policyTypes
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: correct-policy
spec:
podSelector:
matchLabels:
app: myapp
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: myapp
Quick Reference
| Concept | Description |
|---|---|
| podSelector | Selects pods the policy applies to |
| policyTypes | Defines if rules apply to Ingress, Egress, or both |
| ingress | Rules for incoming traffic to pods |
| egress | Rules for outgoing traffic from pods |
| Network Plugin | Must support NetworkPolicy for enforcement |
Key Takeaways
Pods can communicate by default unless restricted by NetworkPolicies.
Use NetworkPolicy with podSelector and policyTypes to control pod traffic.
Specify both ingress and egress rules to allow two-way communication.
Ensure your Kubernetes network plugin supports NetworkPolicy enforcement.
Test policies carefully to avoid accidentally blocking needed traffic.