Network Policy in Kubernetes

Secure communication between pods is critical in maintaining secure deployments. In this post, I will demonstrate how Kubernetes Network Policy can enforce fine-grained security controls in Kubernetes.

I will demonstrate how to set up and enforce network policies in a Minikube environment, ensuring a MYSQL pod in one namespace cannot be accessed by a client pod in another namespace after applying the policy.

Prerequisites

• A working installation of Minikube
• Basic Knowledge of Kubernetes concepts and resources
• 'kubectl' configured to interact with the Minikube cluster.

Start Minikube

setup the Kubernetes environment with Minikube
minikube start

Create Namespaces and Deploy Pods

Create two namespaces: database namespace; for the MySQL pod and client namespace; for the client pod connecting to the MYSQL Database.

Deploy a MYSQL pod in the 'database' namespace:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: mysql
  namespace: database
  labels:
    app: mysql
spec:
  containers:
  - name: mysql
    image: mysql:5.7
    env:
    - name: MYSQL_ROOT_PASSWORD
      value: password
EOF

Deploy a Client pod in the client namespace:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: client
  namespace: client
  labels:
    app: client
spec:
  containers:
  - name: client
    image: mysql:5.7
    command: ["sleep", "3600"]
EOF

Test Connectivity Before Apply Network Policy

Verify that the client pod can connect to the MYSQL pod:
kubectl exec -it client -n client -- sh

Connect to MySQL:
mysql -h <pod ip address> -u root -p

Implementing Kubernetes Network Policy

Now, we can create a Kubernetes Network Policy to deny access from the client namespace to the database namespace.

I prefer using the Cilium Kubernetes Network Policy Generator. This tool provides a user-friendly UI to interpret policies at a glance and create them in a few clicks. It can be used to develop Kubernetes Network policies and Cilium Network Policy

Cilium offers a more robust and feature-rich alternative to Kubernetes' built-in network policies, enabling advanced security features like deep packet inspection and layer 7 (Application Layer) policies.

Generate a Kubernetes Network Policy with Cilium Policy Generator

How to use the UI policy Generator

kubectl --apply -f - <<EOF

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

  name: deny-client-access

  namespace: database

spec:

  podSelector:

    matchLabels:

      app: mysql

  policyTypes:

    - Ingress

    - Egress

  ingress: []

  egress: []

EOF

Test Connectivity After Applying Network Policy

Verify that the client pod can no longer connect to the MySQL pod:
kubectl exec -it -n client -- sh
mysql -h <pod ip address> -u root -p

By implementing Kubernetes Network Policies, we can effectively control the communication between pods across namespaces, enhancing the security of our Kubernetes cluster. For more advanced and robust network policies, technologies like cilium can be used.