DEV Community

Cover image for CK 2024 Blog Series: Understanding and Implementing Network Policies
Jensen Jose
Jensen Jose

Posted on

CK 2024 Blog Series: Understanding and Implementing Network Policies

Hello everyone, welcome back to my blog series CK 2024 and today, we are diving into an essential topic in Kubernetes: Network Policies. This is the 26th entry in our series, and I truly appreciate your support thus far. In this post, we'll explore what Network Policies are, how to implement them, and why they are critical for securing your Kubernetes clusters.

Why Network Policies?

Before we delve into the specifics of Network Policies, let's understand the network flow and why we need such policies. Imagine a three-tier web application with a web tier, application tier, and database tier. The web tier handles user requests over ports 80 (HTTP) and 443 (HTTPS). The application tier processes business logic, and the database tier runs a database server, such as MySQL, on port 3306.

In Kubernetes, by default, all pods can communicate with each other. This open communication can lead to security vulnerabilities. For instance, the front-end application should not directly access the database tier; only the back-end should have this privilege. To enforce these rules and restrict unnecessary access, we implement Network Policies.

Network Policies in Kubernetes

Network Policies in Kubernetes are rules that define how pods communicate with each other and other network endpoints. They provide a way to control traffic flow at the IP address or port level. These policies are crucial for securing your application by ensuring that only authorized pods can communicate with each other.

Implementing Network Policies

Let's consider a scenario where we have a Kubernetes cluster with three deployments: front-end, back-end, and database, each exposed through services. Here’s a step-by-step guide to implementing Network Policies:

  1. Set Up Your Cluster First, ensure your cluster is running with a CNI (Container Network Interface) plugin that supports Network Policies. For this example, we'll use Weave as our CNI plugin.
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
networking:
  disableDefaultCNI: true
nodes:
  - role: control-plane
  - role: worker
  - role: worker
Enter fullscreen mode Exit fullscreen mode

Create the cluster with the following command:

kind create cluster --config kind-config.yaml
Enter fullscreen mode Exit fullscreen mode

Install Weave CNI:

kubectl apply -f "https://cloud.weave.works/k8s/v1.8/net.yaml"
Enter fullscreen mode Exit fullscreen mode
  1. Deploy Applications Deploy the front-end, back-end, and database applications along with their services.
apiVersion: v1
kind: Pod
metadata:
  name: frontend
  labels:
    app: frontend
spec:
  containers:
    - name: frontend
      image: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: frontend
spec:
  ports:
    - port: 80
  selector:
    app: frontend
---
apiVersion: v1
kind: Pod
metadata:
  name: backend
  labels:
    app: backend
spec:
  containers:
    - name: backend
      image: nginx
---
apiVersion: v1
kind: Service
metadata:
  name: backend
spec:
  ports:
    - port: 80
  selector:
    app: backend
---
apiVersion: v1
kind: Pod
metadata:
  name: database
  labels:
    app: database
spec:
  containers:
    - name: database
      image: mysql
      env:
        - name: MYSQL_ROOT_PASSWORD
          value: password
---
apiVersion: v1
kind: Service
metadata:
  name: database
spec:
  ports:
    - port: 3306
  selector:
    app: database
Enter fullscreen mode Exit fullscreen mode

Apply these manifests:

kubectl apply -f manifests.yaml
Enter fullscreen mode Exit fullscreen mode
  1. Create Network Policies Now, let's create a Network Policy to restrict access so that only the back-end can communicate with the database.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend-to-database
spec:
  podSelector:
    matchLabels:
      app: database
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: backend
Enter fullscreen mode Exit fullscreen mode

Apply the Network Policy:

kubectl apply -f network-policy.yaml
Enter fullscreen mode Exit fullscreen mode

Verifying Network Policies

To verify the Network Policies, you can exec into the front-end pod and attempt to connect to the database. This connection should be denied:

kubectl exec -it frontend -- /bin/bash
curl database:3306
Enter fullscreen mode Exit fullscreen mode

Similarly, the back-end should be able to connect to the database:

kubectl exec -it backend -- /bin/bash
curl database:3306
Enter fullscreen mode Exit fullscreen mode

Conclusion

In this blog post, we discussed the importance of network policies in Kubernetes and how they help secure your applications. We also provided a step-by-step guide to implementing them. Network Policies are vital for maintaining a secure and controlled communication flow within your Kubernetes clusters.

Stay tuned for our next topic on storage. Until next time, happy coding!

For further reference, check out the detailed YouTube video here:

Top comments (0)