I am running Kubernetes 1.9.6 with Weave Net 2.4.0. I am trying to lock down access to the Kubernetes internal DNS server and a specific port on another host. I cannot seem to find the proper format for the egress.
I know the following is not a valid policy but is a representation of what I want to do. How do I write the network policy to support this?
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: dev
spec:
podSelector:
matchLabels:
app: plem-network-policy
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 10.3.0.10/32
ports:
- protocol: TCP
port: 53
- protocol: UDP
port: 53
- ipBlock:
cidr: 10.49.100.37/32
ports:
- protocol: TCP
port: 8200I was not paying enough attention to multiple blocks for the cidr and ports. This is what I was looking for.
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: dev
spec:
podSelector:
matchLabels:
app: plem-network-policy
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 10.2.0.0/16
- ipBlock:
cidr: 10.3.0.10/32
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
- to:
- ipBlock:
cidr: 10.49.100.37/32
- ipBlock:
cidr: 10.49.100.137/32
- ipBlock:
cidr: 10.49.100.85/32
ports:
- protocol: TCP
port: 8200
- to:
- ipBlock:
cidr: 10.29.30.56/32
ports:
- protocol: TCP
port: 5439