How to Use Network Policy in Kubernetes: Simple Guide
Use
NetworkPolicy resources in Kubernetes to control traffic flow between pods. Define rules in YAML specifying allowed ingress and egress traffic by pod selectors, namespaces, and ports, then apply them with kubectl apply.Syntax
A NetworkPolicy resource has these main parts:
- metadata: Name and namespace of the policy.
- podSelector: Selects pods the policy applies to.
- policyTypes: Defines if the policy controls
Ingress,Egress, or both. - ingress/egress: Lists rules specifying allowed traffic sources or destinations.
yaml
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: example-policy namespace: default spec: podSelector: matchLabels: role: db policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 3306 egress: - to: - ipBlock: cidr: 10.0.0.0/24 ports: - protocol: TCP port: 53
Example
This example allows pods with label role=db to accept TCP traffic on port 3306 only from pods labeled role=frontend. It also allows egress DNS queries to IPs in 10.0.0.0/24.
yaml
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: db-access namespace: default spec: podSelector: matchLabels: role: db policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 3306 egress: - to: - ipBlock: cidr: 10.0.0.0/24 ports: - protocol: UDP port: 53
Output
networkpolicy.networking.k8s.io/db-access created
Common Pitfalls
- Not specifying
podSelectormeans the policy applies to no pods. - Omitting
policyTypesdefaults toIngressonly, so egress rules may be ignored. - Using broad selectors can block all traffic unintentionally.
- Network policies require a network plugin that supports them; otherwise, they have no effect.
yaml
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: wrong-policy namespace: default spec: # Missing podSelector means no pods selected ingress: - from: - podSelector: matchLabels: role: frontend --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: correct-policy namespace: default spec: podSelector: matchLabels: role: db policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: role: frontend
Quick Reference
| Field | Description |
|---|---|
| metadata.name | Name of the NetworkPolicy |
| metadata.namespace | Namespace where policy applies |
| spec.podSelector | Selects pods the policy targets |
| spec.policyTypes | Types of traffic controlled: Ingress, Egress, or both |
| spec.ingress | Rules for incoming traffic |
| spec.egress | Rules for outgoing traffic |
| from/to | Sources or destinations allowed (pods, namespaces, IP blocks) |
| ports | Allowed ports and protocols |
Key Takeaways
NetworkPolicy controls pod traffic by defining allowed ingress and egress rules.
Always specify podSelector to target pods; otherwise, the policy won't apply.
Include policyTypes to control ingress, egress, or both traffic directions.
Network policies require a compatible network plugin to work.
Test policies carefully to avoid accidentally blocking needed traffic.