DEV Community

Cover image for Network Policy in Kubernetes
Salaudeen O. Abdulrasaq
Salaudeen O. Abdulrasaq

Posted on

Network Policy in Kubernetes

Secure communication between pods is critical in maintaining secure deployments. In this post, I will demonstrate how Kubernetes Network Policy can enforce fine-grained security controls in Kubernetes.

I will demonstrate how to set up and enforce network policies in a Minikube environment, ensuring a MYSQL pod in one namespace cannot be accessed by a client pod in another namespace after applying the policy.

Prerequisites

  • A working installation of Minikube
  • Basic Knowledge of Kubernetes concepts and resources
  • 'kubectl' configured to interact with the Minikube cluster.

Start Minikube

setup the Kubernetes environment with Minikube
minikube start
Start Minikube

Create Namespaces and Deploy Pods

Create two namespaces: database namespace; for the MySQL pod and client namespace; for the client pod connecting to the MYSQL Database.

Deploy a MYSQL pod in the 'database' namespace:



kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: mysql
  namespace: database
  labels:
    app: mysql
spec:
  containers:
  - name: mysql
    image: mysql:5.7
    env:
    - name: MYSQL_ROOT_PASSWORD
      value: password
EOF


Enter fullscreen mode Exit fullscreen mode

Deploy a Client pod in the client namespace:



kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: client
  namespace: client
  labels:
    app: client
spec:
  containers:
  - name: client
    image: mysql:5.7
    command: ["sleep", "3600"]
EOF


Enter fullscreen mode Exit fullscreen mode

Image description

Test Connectivity Before Apply Network Policy

Verify that the client pod can connect to the MYSQL pod:
kubectl exec -it client -n client -- sh

Connect to MySQL:
mysql -h <pod ip address> -u root -p

Image description

Implementing Kubernetes Network Policy

Now, we can create a Kubernetes Network Policy to deny access from the client namespace to the database namespace.

I prefer using the Cilium Kubernetes Network Policy Generator. This tool provides a user-friendly UI to interpret policies at a glance and create them in a few clicks. It can be used to develop Kubernetes Network policies and Cilium Network Policy

Cilium offers a more robust and feature-rich alternative to Kubernetes' built-in network policies, enabling advanced security features like deep packet inspection and layer 7 (Application Layer) policies.

Generate a Kubernetes Network Policy with Cilium Policy Generator

How to use the UI policy Generator



kubectl --apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-client-access
namespace: database
spec:
podSelector:
matchLabels:
app: mysql
policyTypes:
- Ingress
- Egress
ingress: []
egress: []
EOF

Enter fullscreen mode Exit fullscreen mode




Test Connectivity After Applying Network Policy

Verify that the client pod can no longer connect to the MySQL pod:
kubectl exec -it -n client -- sh
mysql -h <pod ip address> -u root -p

Image description

By implementing Kubernetes Network Policies, we can effectively control the communication between pods across namespaces, enhancing the security of our Kubernetes cluster. For more advanced and robust network policies, technologies like cilium can be used.

Top comments (1)

Collapse
 
allison_okikiola_a77b1190 profile image
Allison Okikiola

This is really helpful, thanks Abdulrasaq