Do Kubernetes NetworkPolicies block NodePort traffic?

7/12/2019

I can't find in the official docs whether NetworkPolicy block NodePort ingress traffic.

  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: frontend

Considering the NetworkPolicy above - is it expected that it'll block any ingress traffic to NodePort-type services within my namespace?

If so, how do I allow such traffic into my namespace? Will ipBlock solve it?

-- Bernard Halas
kubernetes

1 Answer

7/12/2019

Do Kubernetes NetworkPolicies block NodePort traffic?

Not really.

As it says in the docs: "is a specification of how groups of pods...". Basically, they are applied to pods or group of pods. NodePort is defined in Kubernetes as a type of Service.

You can restrict traffic applying the Network Policy to your namespace and specifying ipBlock as you mentioned. This will specifically restrict traffic to your pods but not the NodePort. (It may be all that you need)

To restrict traffic to NodePorts you will have to use an alternative external solution and it will really depend on your setup. For example, if you are using a cloud provider like AWS you could use security groups.

Alternatively, GCP provides Google Cloud Armor with a Backend Config that allows you to control traffic to a service/ingress.

-- Rico
Source: StackOverflow