Kubernets networkpolicy allow external traffic to internet only

9/4/2019

Im trying to implement network policy in my kubernetes cluster to isolate my pods in a namespace but still allow them to access the internet since im using Azure MFA for authentication.

This is what i tried but cant seem to get it working. Ingress is working as expected but these policies blocks all egress.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress 
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: grafana-policy
  namespace: default
spec:
  podSelector:
    matchLabels: 
      app: grafana
  ingress:
  - from:
    - podSelector:
       matchLabels: 
        app: nginx-ingress

Anybody who can tell me how i make above configuration work so i will also allow internet traffic but blocking traffic to other POD's?

-- superset
azure-kubernetes
kubernetes

3 Answers

9/4/2019

Can you try like this?

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress,Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0

It should allow egress to all destinations. But if the destination is a pod, it should be blocked by the lacking ingress rules of the same NetworkPolicy.

-- weibeld
Source: StackOverflow

9/4/2019

Kubernetes will allow all traffic unless there is a network policy. If a Network Policy is set, it will only allow traffic set by the network policy and deny everything else.

By default, pods are non-isolated; they accept traffic from any source.

Pods become isolated by having a NetworkPolicy that selects them. Once there is any NetworkPolicy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any NetworkPolicy. (Other pods in the namespace that are not selected by any NetworkPolicy will continue to accept all traffic.)

https://kubernetes.io/docs/concepts/services-networking/network-policies/#isolated-and-non-isolated-pods

So you will need to specify the Egress rules as well in order for it to work the way you want :)

-- Christiaan Vermeulen
Source: StackOverflow

9/8/2019

Try adding a default deny all network policy on the namespace, then adding an allow Internet policy after.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-internet-only
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
      - ipBlock:
        cidr: 0.0.0.0/0
          except:
            - 10.0.0.0/8
            - 192.168.0.0/16
            - 172.16.0.0/20

This will block all traffic except for internet outbound. In the allow-internet-only policy, there is an exception for all private IPs which will prevent pod to pod communication. You will also have to allow Egress to Core DNS from kube-system if you require DNS lookups, as the default-deny-all policy will block DNS queries.

-- user12009826
Source: StackOverflow