Let's suppose I have a deployment in my cluster which is exposed to the outside world via a load-balancer service (has static IP with some external firewall rules) on top of this now I want to apply internal firewall rules for the same deployment, I want to limit it to connect only with a few other pods in case if it is compromised. So can I simultaneously apply load-balancer and egress network policy for deployment in Kubernetes without messing the things up? Is there a distinct separation between load-balancers and network policies (one is for external traffic the other for internal) or it is not like that.
Thanks in advance!
For the sake of argument let's assume this is the network policy I want to apply:
kind: NetworkPolicy
metadata:
name: bridge-ergress-access
namespace: default
spec:
podSelector:
matchLabels:
name: mqtt-lb-service
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
- app: kafka1
- podSelector:
matchLabels:
- app: kafka2
- podSelector:
matchLabels:
- app: kafka3
- podSelector:
matchLabels:
- app: redis
Kubernetes network policy is used to enforce layer-3 segmentation for applications that are deployed on the platform. Network policies lack the advanced features of modern firewalls like layer-7 control and threat detection, but they do provide a basic level of network security which is a good starting point.Kubernetes network policies specify the access permissions for groups of pods, much like security groups in the cloud are used to control access to VM instances.
You can use kubernetes network policy to control traffic within your pod network with external firewall rules which control traffic within VM/host network.