Network Policies in Kubernetes control how pods communicate with each other and with external endpoints. They define rules for ingress (incoming) and egress (outgoing) traffic.
Why Use Network Policies?
| Benefit | Description |
|---|---|
| Security | Prevent unauthorized pod-to-pod communication. |
| Isolation | Enforce microsegmentation between services. |
| Compliance | Meet regulatory requirements for network control. |
| Zero Trust | Implement least privilege access across workloads. |
Calico is a popular network policy engine supported in AKS. You can enable it during cluster creation:
az aks create \
--name <cluster-name> \
--resource-group <rg-name> \
--network-policy calico \
--network-plugin azure \
...Note: Calico only works with the azure network plugin, not kubenet.
Real-World Example
Let’s say you have two apps:
frontendpodbackendpod
You want to allow only frontend to talk to backend, and deny all other traffic.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
namespace: default
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend🧠 What This Does:
- Applies to pods labeled
app=backend. - Allows only pods labeled
app=frontendto send traffic to them. - All other pods are blocked from accessing
backend.
🔍 How to Test
- Deploy
frontendandbackendpods with appropriate labels. - Apply the network policy.
- Try accessing
backendfrom:frontend→ ✅ Allowed- Any other pod → ❌ Denied
📊 Monitoring & Troubleshooting
- Use
kubectl describe networkpolicy <policy-name>to inspect. - Use tools like Calico CLI, kubectl logs, or network flow monitoring to debug.
Leave a Reply