Secure communication between pods is critical in maintaining secure deployments. In this post, I will demonstrate how Kubernetes Network Policy can enforce fine-grained security controls in Kubernetes.
I will demonstrate how to set up and enforce network policies in a Minikube environment, ensuring a MYSQL pod in one namespace cannot be accessed by a client pod in another namespace after applying the policy.
Prerequisites
- A working installation of Minikube
- Basic Knowledge of Kubernetes concepts and resources
- 'kubectl' configured to interact with the Minikube cluster.
Start Minikube
setup the Kubernetes environment with Minikube
minikube start
Create Namespaces and Deploy Pods
Create two namespaces: database namespace; for the MySQL pod and client namespace; for the client pod connecting to the MYSQL Database.
Deploy a MYSQL pod in the 'database' namespace:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: mysql
namespace: database
labels:
app: mysql
spec:
containers:
- name: mysql
image: mysql:5.7
env:
- name: MYSQL_ROOT_PASSWORD
value: password
EOF
Deploy a Client pod in the client namespace:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: client
namespace: client
labels:
app: client
spec:
containers:
- name: client
image: mysql:5.7
command: ["sleep", "3600"]
EOF
Test Connectivity Before Apply Network Policy
Verify that the client pod can connect to the MYSQL pod:
kubectl exec -it client -n client -- sh
Connect to MySQL:
mysql -h <pod ip address> -u root -p
Implementing Kubernetes Network Policy
Now, we can create a Kubernetes Network Policy to deny access from the client namespace to the database namespace.
I prefer using the Cilium Kubernetes Network Policy Generator. This tool provides a user-friendly UI to interpret policies at a glance and create them in a few clicks. It can be used to develop Kubernetes Network policies and Cilium Network Policy
Cilium offers a more robust and feature-rich alternative to Kubernetes' built-in network policies, enabling advanced security features like deep packet inspection and layer 7 (Application Layer) policies.
Generate a Kubernetes Network Policy with Cilium Policy Generator
How to use the UI policy Generator
kubectl --apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-client-access
namespace: database
spec:
podSelector:
matchLabels:
app: mysql
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
EOF
Test Connectivity After Applying Network Policy
Verify that the client pod can no longer connect to the MySQL pod:
kubectl exec -it -n client -- sh
mysql -h <pod ip address> -u root -p
By implementing Kubernetes Network Policies, we can effectively control the communication between pods across namespaces, enhancing the security of our Kubernetes cluster. For more advanced and robust network policies, technologies like cilium can be used.
Top comments (1)
This is really helpful, thanks Abdulrasaq