You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/concepts/services-networking/network-policies.md
+22-4Lines changed: 22 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,11 +9,18 @@ weight: 50
9
9
---
10
10
11
11
<!-- overview -->
12
-
A network policy is a specification of how groups of {{< glossary_tooltip text="pods" term_id="pod">}} are allowed to communicate with each other and other network endpoints.
13
12
14
-
NetworkPolicy resources use {{< glossary_tooltip text="labels" term_id="label">}} to select pods and define rules which specify what traffic is allowed to the selected pods.
13
+
If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster. NetworkPolicies are an application-centric construct which allow you to specify how a {{< glossary_tooltip text="pod" term_id="pod">}} is allowed to communicate with various network "entities" (we use the word "entity" here to avoid overloading the more common terms such as "endpoints" and "services", which have specific Kubernetes connotations) over the network.
15
14
15
+
The entities that a Pod can communicate with are identified through a combination of the following 3 identifiers:
16
16
17
+
1. Other pods that are allowed (exception: a pod cannot block access to itself)
18
+
2. Namespaces that are allowed
19
+
3. IP blocks (exception: traffic to and from the node where a Pod is running is always allowed, regardless of the IP address of the Pod or the node)
20
+
21
+
When defining a pod- or namespace- based NetworkPolicy, you use a {{< glossary_tooltip text="selector" term_id="selector">}} to specify what traffic is allowed to and from the Pod(s) that match the selector.
22
+
23
+
Meanwhile, when IP based NetworkPolicies are created, we define policies based on IP blocks (CIDR ranges).
17
24
18
25
<!-- body -->
19
26
## Prerequisites
@@ -212,14 +219,25 @@ When the feature gate is enabled, you can set the `protocol` field of a NetworkP
212
219
You must be using a {{< glossary_tooltip text="CNI" term_id="cni" >}} plugin that supports SCTP protocol NetworkPolicies.
213
220
{{< /note >}}
214
221
222
+
# What you CAN'T do with network policy's (at least, not yet)
215
223
224
+
As of Kubernetes 1.20, the following functionality does not exist in the NetworkPolicy API, but you might be able to implement workarounds using Operating System components (such as SELinux, OpenVSwitch, IPTables, and so on) or Layer 7 technologies (Ingress controllers, Service Mesh implementations) or admission controllers. In case you are new to network security in Kubernetes, its worth noting that the following User Stories cannot (yet) be implemented using the NetworkPolicy API. Some (but not all) of these user stories are actively being discussed for future releases of the NetworkPolicy API.
216
225
226
+
- Forcing internal cluster traffic to go through a common gateway (this might be best served with a service mesh or other proxy).
227
+
- Anything TLS related (use a service mesh or ingress controller for this).
228
+
- Node specific policies (you can use CIDR notation for these, but you cannot target nodes by their Kubernetes identities specifically).
229
+
- Targeting of namespaces or services by name (you can, however, target pods or namespaces by their{{< glossary_tooltip text="labels" term_id="label" >}}, which is often a viable workaround).
230
+
- Creation or management of "Policy requests" that are fulfilled by a third party.
231
+
- Default policies which are applied to all namespaces or pods (there are some third party Kubernetes distributions and projects which can do this).
232
+
- Advanced policy querying and reachability tooling.
233
+
- The ability to target ranges of Ports in a single policy declaration.
234
+
- The ability to log network security events (for example connections that are blocked or accepted).
235
+
- The ability to explicitly deny policies (currently the model for NetworkPolicies are deny by default, with only the ability to add allow rules).
236
+
- The ability to prevent loopback or incoming host traffic (Pods cannot currently block localhost access, nor do they have the ability to block access from their resident node).
217
237
218
238
## {{% heading "whatsnext" %}}
219
239
220
240
221
241
- See the [Declare Network Policy](/docs/tasks/administer-cluster/declare-network-policy/)
222
242
walkthrough for further examples.
223
243
- See more [recipes](https://github.com/ahmetb/kubernetes-network-policy-recipes) for common scenarios enabled by the NetworkPolicy resource.
0 commit comments