Kubernetes NetworkPolicy allows you to control traffic flow between services at the IP address and port level. In this lab, you will configure your GKE cluster with two NetworkPolicies to finely allow traffic.

Default Deny All Ingress Traffic #

Let’s create a NetworkPolicy that denies all traffic coming into your random-facts-app-deployment namespace.

To begin, create a dedicated directory for this lab and switch into it:

cd ~

mkdir network-policy && cd network-policy

Create a NetworkPolicy manifest with the following contents and apply it to your cluster:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all-ingress
  namespace: random-facts-app-deployment
spec:
  podSelector: {}
  policyTypes:
  - Ingress

To test this NetworkPolicy, create a new Namespace called network-policy with the label lab=network-policy where you will test the connections from.

Run the following command to create a pod in the newly created network-policy namespace:

kubectl run --rm -it toolbox --namespace network-policy --image=jacobmammoliti/toolbox -- sh

Once a prompt comes up, run the following cURL command against your application in the random-facts-app-deployment namespace with the following command:

curl random-facts-app-service.random-facts-app-deployment.svc.cluster.local:5000 --max-time 5 -I

After 5 seconds, you will see that it has timed out. This is due to the NetworkPolicy blocking the connection.

Enter exit into the shell to exit and terminate the pod.

Layering on Additional NetworkPolicy #

In some cases, you may need pods in one namespace to be able to communicate with pods in another namespace. You can layer on additional policies to achieve this. In this lab, you will allow communication from pods with the label lab=network-policy that reside in the network-policy namespace to pods in the random-facts-app-deployment namespace.

You can begin by using the following NetworkPolicy manifest as a starting point to create a rule. This rule should only permit Pods with the lab=network-policy label from the network-policy namespace to communicate with pods within the random-facts-app-deployment namespace.

Hint: Ensure that the following NetworkPolicy is deployed in the appropriate namespace and that you have added a podSelector.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-to-random-facts-app-deployment
spec:
  podSelector: {}
  policyTypes:
    - Ingress
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            lab: network-policy

Once you have written the policy, apply it and try the connection again with the following command:

kubectl run --rm -it toolbox --namespace network-policy --labels='lab=network-policy' --image=jacobmammoliti/toolbox -- sh

Once a prompt comes up, run the following cURL command against your application in the random-facts-app-deployment namespace with the following command:

curl random-facts-app-service.random-facts-app-deployment.svc.cluster.local:5000 -I

You will now see an output similar to below:

HTTP/1.1 200 OK
Server: Werkzeug/2.3.4 Python/3.12.0b1
...
Connection: close

With that, you have successfully configured NetworkPolicy. NetworkPolicy is just one piece of the puzzle when it comes to securing your GKE cluster. In future labs, you will explore additional methods to further enhance the security of your cluster.