Skip to main content

Network Policies

Overview

Network Policies are used to regulate connectivity between Kubernetes namespaces.
Every namespace in the cluster has network policies which only allow inbound traffic from the ingress controllers namespace (so that incoming requests can be routed to your web applications).

A network policy allows connection based on PodSelector and/or NamespaceSelector. The policy will then filter requests based on namespace or pod labels.

Namespace Label

This example demonstrates using a namespaceSelector to route traffic based on a namespace label.

Any namespace label can be used in the network policy.
For clarity, and to avoid overlap with other namespaces, let’s make our label key:
cloud-platform.justice.gov.uk/namespace

# 00-namepace.yaml
---
apiVersion: v1
kind: Namespace
metadata:
  name: source-namespace
  labels:
    cloud-platform.justice.gov.uk/namespace: "source-namespace"  # this is the label 
    cloud-platform.justice.gov.uk/is-production: "false"
    cloud-platform.justice.gov.uk/environment-name: "dev"
  annotations:
    cloud-platform.justice.gov.uk/business-unit: "HMPPS"
    cloud-platform.justice.gov.uk/application: "court-probation"
    cloud-platform.justice.gov.uk/owner: "andy.marke@digital.justice.gov.uk: andy.marke@digital.justice.gov.uk"
    cloud-platform.justice.gov.uk/source-code: "https://github.com/ministryofjustice/court-probation-service"

Network Policy

Once the relevant label has been added to the namespace, the policy can be created.

The policy below allows all traffic from namespaces which have a label called cloud-platform.justice.gov.uk/namespace with the the value source-namespace to route to the namespace called target-namespace.

# 04-networkpolicy.yaml
# allow-source-namespace.yaml
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-source-namespace
  namespace: target-namespace
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          cloud-platform.justice.gov.uk/namespace: "source-namespace'

Note: For more complex use-cases, or if the policy is going to be specific to a Pod, see here

Accessing the service

To access a service in the target namespace from the source namespace we need to add the target namespace name to the domain name of the service, e.g:

curl myservice.target-namespace
This page was last reviewed on 18 October 2021. It needs to be reviewed again on 18 January 2022 .
This page was set to be reviewed before 18 January 2022. This might mean the content is out of date.