Restricting Pod ingress with a NetworkPolicy
WHAT IT TESTS: NetworkPolicy ingress control. OUTLINE: Create a NetworkPolicy with podSelector app=frontend, policyTypes Ingress, and one ingress from-rule matching podSelector role=api-gateway; requires a CNI that enforces policies.
WHAT IT TESTS: Whether you can lock down Pod-to-Pod traffic natively. ANSWER OUTLINE: Define a NetworkPolicy whose podSelector targets app=frontend, with policyTypes including Ingress and a single ingress rule whose from clause uses a podSelector matching role=api-gateway. Once any NetworkPolicy selects the frontend Pods for Ingress, all other inbound traffic is denied by default, so only api-gateway Pods can connect. This requires a CNI plugin that enforces NetworkPolicy (Calico, Cilium); the default kubenet does not.
Read the original → interview
- #kubernetes
- #network-policy
- #security
- #multi-tenancy
- #cni
Get five bites like this every day.
Tezvyn delivers a daily feed of 60-second tech bites with quizzes to lock in what you learn.