Kubernetes Network Policies
SUMMARY Juniper Cloud-Native Contrail® Networking™ (CN2) lets you deploy
Kubernetes network policies within the Contrail firewall security policy framework. You must use
a Container Network Interface (CNI) that supports NetworkPolicy
, like Contrail,
to deploy a network policy. This topic provides information about how to deploy a Kubernetes
network policy in environments running CN2.
Kubernetes Network Policy Overview
Kubernetes network policies let you specify how pods communicate with other pods and
network endpoints. A Kubernetes NetworkPolicy
resource enables a pod to
communicate with:
-
Other pods in the allowlist (a pod cannot block access to itself).
-
Namespaces in the allowlist.
-
IP blocks, or Classless Inter-Domain Routing (CIDR).
Kubernetes network policies apply only to pods within a namespace and define ingress (source) and egress (destination) rules. Kubernetes network policies have the following characteristics when applied to a pod:
-
Pod specific and apply to a single pod or a group of pods. Network policy rules dictate the traffic to that pod.
-
Define traffic rules for a pod for ingress traffic, egress traffic, or both. If you don't specify a direction explicitly, the policy applies to the ingress direction by default.
-
Must contain explicit rules that specify traffic from the allowlist in the ingress and egress directions. Traffic that does not match the allowlist rules is denied.
-
Permitted traffic includes traffic matching any of the network policies applied to a pod.
Kubernetes network policies have the following additional characteristics:
-
When not applied to a pod, that pod accepts traffic from all sources.
-
Act on connections rather than individual packets. For example, if traffic from pod A to pod B is allowed by the configured policy, then the packets from pod B to pod A are also allowed, even if the policy in place does not allow pod B to initiate a connection to pod A.
A Kubernetes network policy comprises the following sections:
-
spec
: Describes the desired state of a Kubernetes object. For a network policy, thepodSelector
andpolicyTypes
fields within the spec specify the rules for that policy. -
podSelector
: Selects the groups of pods to which the policy applies. An emptypodSelector
selects all pods in the namespace. -
policyTypes
: Specifies whether the policy applies to ingress traffic from selected pods or egress traffic to selected pods. If nopolicyTypes
are specified, the ingress direction is selected by default. -
ingress
: Allows ingress traffic that matches thefrom
andports
sections. In the following example, the ingress rule allows connections to all pods in thedev
namespace with the label app:webserver-dev
on TCP port 80 from:-
Any pod in the default namespace with the label
app: client1-dev
. -
All IP addresses within the 10.169.25.20/32 range.
-
Any pod in the default namespace with the label
project: jtac
.
-
-
egress
: Allows egress traffic that matches theto
andports
sections. In Example 1, the egress rule allows connections from any pod in the default namespace with the labelapp: dbserver-dev
to port TCP 80. -
ipBlock
: Selects IP CIDR ranges to allow as ingress sources or egress destinations. TheipBlock
section of a network policy contains the following two fields:-
cidr (ipBlock.cidr): The network policy allows egress traffic to, or ingress traffic from, the specified IP range.
-
except (ipBlock.except): Kubernetes expects traffic in the specified IP range not to match the policy. The network policy denies ingress traffic to, or egress traffic from, the IP range specified in
except
.Note: If you useexcept
in a network policy, Kubernetes expects the identified traffic in theexcept
IP range not to match the policy. CN2 does not support this specific scenario where you use theexcept
term. As a result, we recommend that you avoid usingexcept
.
-
The following NetworkPolicy
resource example shows
ingress
and egress
rules:
#policy1-do.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: policy1 namespace: dev spec: podSelector: matchLabels: app: webserver-dev policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 10.169.25.20/32 - namespaceSelector: matchLabels: project: jtac - podSelector: matchLabels: app: client1-dev ports: - protocol: TCP port: 80 egress: - to: - podSelector: matchLabels: app: dbserver-dev ports: - protocol: TCP port: 80
In this example, ingress TCP traffic from IPs within CIDR 10.169.25.20/32
from port: 80
is allowed. Egress traffic to pods with
matchLabels
app: dbserver-dev
to TCP port: 80
is allowed.
Deploy a Kubernetes Network Policy in Cloud-Native Contrail Networking
In CN2, after you configure and deploy a Kubernetes network policy, that policy is created automatically in Contrail. Here's an example of a Kubernetes network policy:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: podSelector: matchLabels: role: db policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 172.17.0.0/16 except: - 172.17.1.0/24 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: TCP port: 6379 egress: - to: - ipBlock: cidr: 10.0.0.0/24 ports: - protocol: TCP port: 5978
This policy results in the following objects being created in CN2:
Key | Value |
---|---|
role | db |
namespace | default |
project | myproject |
role | frontend |
Name | Prefix |
---|---|
test-network-policy-except | 172.17.1.0/24 |
test-network-policy | 172.17.0.0/16 |
test-network-policy-egress | 10.0.0.0/24 |
Rule Name | Action | Service | Endpoint1 | Direction | Endpoint2 |
---|---|---|---|---|---|
default-ingress-test-network-policy-0-ipBlock-0-17x.xx.1.0/24-0 | deny | tcp:6379 | role=db && namespace=default | ingress | Address Group: 172.17.1.0/24 |
default-ingress-test-network-policy-0-ipBlock-0-cidr-17x.xx.0.0/16-0 | pass | tcp:6379 | role=db && namespace=default | ingress | Address Group: 172.17.0.0/16 |
default-ingress-test-network-policy-0-namespaceSelector-1-0 | pass | tcp:6379 | role=db && namespace=default | ingress | project=myproject |
default-ingress-test-network-policy-0-podSelector-2-0 | pass | tcp:6379 | role=db && namespace=default | ingress | namespace=default && role=frontend |
default-egress-test-network-policy-ipBlock-0-cidr-10.0.0.0/24-0 | pass | tcp:5978 | role=db && namespace=default | egress | Address Group: 10.0.0.0/24 |
Name | Rules |
---|---|
default-test-network-policy |
default-ingress-test-network-policy-0-ipBlock-0-172.17.1.0/24-0, default-ingress-test-network-policy-0-ipBlock-0-cidr-172.17.0.0/16-0 default-ingress-test-network-policy-0-namespaceSelector-1-0 default-ingress-test-network-policy-0-podSelector-2-0, default-egress-test-network-policy-ipBlock-0-cidr-10.0.0.0/24-0 |
Kubernetes Network Policy matchExpressions
Starting in Cloud-Native Contrail Networking (CN2) version 22.3, CN2 supports Kubernetes
Network Policy with matchExpressions
. For more information about
matchExpressions
, see "Resources that support set-based requirements" in
the Kubernetes documentation.