Working with Kubernetes NetworkPolicies

1 hour
  • 2 Learning Objectives

About this Hands-on Lab

By default, Kubernetes pods have unrestricted network access both inside and outside the cluster. However, it is often desirable to restrict network access to and from pods, particularly for security reasons. Kubernetes NetworkPolicies provide a flexible way to implement these networking restrictions, giving you control over all of the network traffic involving your pods. In this lab, walk through NetworkPolicies concepts, and examine some existing policies to determine how we can properly apply them to a pod.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Provide the `web-gateway` Pod with Network Access to the Pods Associated with the `inventory-svc` Service

First, get a list of existing NetworkPolicies:

kubectl get networkpolicy

Examine inventory-policy more closely:

kubectl describe networkpolicy inventory-policy

Note that the policy selects pods with the label app: inventory, and provides incoming and outgoing network access to all pods with the label inventory-access: true.

Modify the web-gateway pod with kubectl edit pod web-gateway.

Add the inventory-access: "true" label to the pod under metdadata.labels.

...
metdadata:
  labels:
    inventory-access: "true"
...

Test access to the inventory-svc like so:

kubectl exec web-gateway -- curl -m 3 inventory-svc
Provide the `web-gateway` Pod with Network Access to the Pods Associated with the `customer-data-svc` Service

Examine customer-data-policy more closely:

kubectl describe networkpolicy customer-data-policy

Note that the policy selects pods with the label app: customer-data, and provides incoming and outgoing network access to all pods with the label customer-data-access: true.

Modify the web-gateway pod with kubectl edit pod web-gateway.

Add the customer-data-access: "true" label to the pod under metadadata.labels:

...
metdadata:
  labels:
    inventory-access: "true"
    customer-data-access: "true"
...

Test access to the customer-data-svc like so:

kubectl exec web-gateway -- curl -m 3 customer-data-svc

Additional Resources

Your company has a set of services, one called inventory-svc and another called customer-data-svc. In the interest of security, both of these services and their corresponding pods have NetworkPolicies designed to restrict network communication to and from them. A new pod has just been deployed to the cluster called web-gateway, and this pod need to be able to access both inventory-svc and customer-data-svc.

Unfortunately, whoever designed the services and their corresponding NetworkPolicies was a little lax in creating documentation. In top of that, they are not currently available to help you understand how to provide access to the services for the new pod.

Examine the existing NetworkPolicies and determine how to alter the web-gateway pod so that it can access the pods associated with both services.

You will not need to add, delete, or edit any NetworkPolicies in order to do this. Simply use the existing ones and modify the web-gateway pod to provide access. All work can be done in the default namespace.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$2,495.00

Checkout
Sign In
Welcome Back!
Thanks for reaching out!

You’ll hear from us shortly. In the meantime, why not check out what our customers have to say about ACG?