Network Policy

Network Policy

Firewall for intra-cluster communication

Must be implemented by CNI plugin

Resource NetworkPolicy (namespaced)

Network policies are enforced per namespace

Allow all traffic without policies

Deny by default when a policy exists

Policies can only allow traffic

Policies are applied using label selector

Ingress and egress are handled separately

Supports layer 3 and layer 4

There is an editor

Limitations

No traffic routing

No TLS

No node specific policies

No targeting of services

No cluster-wide default policies

No audit logging

CNI plugins

No support for network policy

kubenet, flannel

Calico

Pluggable data planes and extended network policies

Calico the hard way

Canel

Flannel for networking and Calico for policy

Cilium

Based on eBPF with extended network policies and observability

Demo

Filter connections between pods

Egress

Control HTTP from test1 to test2

Requires DNS to work

Enable access to Kubernetes API