Link Search Menu Expand Document

NetworkPolicy

default-deny-egress.yaml

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: network-policy-default-deny-egress
spec:
  podSelector: {}
  policyTypes:
    - Egress

See: https://kubernetes.io/docs/concepts/services-networking/network-policies/

complex-policy.yaml

# Example 'rich' network policy
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: network-policy-policy
spec:
  podSelector:  # Required. Selects the pods to which this network policy applies. Ingress rules applied to these pods. An empty podSelector means 'all pods in namespace'. Other NetworkPolicies can apply to same pods (rules are additive).
    matchLabels:  # Labels are ANDed if there are multiple.
      role: db
  policyTypes:  # This field is inferred from existence of rules further below. All policies are assumed to affect ingress. Hence "Egress" here if you want an egress-only policy.
    - Ingress
    - Egress
  ingress:
    - from:
        # If this field is set, then it negates the other two.
        # - ipBlock:
        #     cidr: 172.17.0.0/16
        #     except:
        #       - 172.17.1.0/24
        - namespaceSelector:
            matchLabels:
              project: myproject
        - podSelector:
            matchLabels:
              role: frontend
      ports:
        - protocol: TCP  # TCP (default), UDP or SCTP
          port: 6379  # Numerical or named port
  egress:
    - to:
        # If this field is set, then it negates the other two (namespaceSelector and podSelector).
        - ipBlock:
            cidr: 10.0.0.0/24
      ports:
        - protocol: TCP
          port: 5978

spec.egress/

default-allow-egress.yaml

            ---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: network-policy-allow-egress
spec:
  podSelector: {}
  egress:
    - {}
  policyTypes:
    - Egress
 

spec.ingress/

default-allow-ingress.yaml

            ---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: network-policy-default-allow-ingress
spec:
  podSelector: {}
  ingress:
    - {}
  policyTypes:
    - Ingress
 

spec.policyTypes/

default-deny-all.yaml

            ---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: network-policy-default-deny-all
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
 

default-deny-ingress.yaml

            ---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: network-policy-default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
    - Ingress