OpenShift – Practical Guide to NetworkPolicy
URL – https://www.devopsschool.com/blog/kubernetes-cks-network-policy-example-code/
๐ OpenShift NetworkPolicies Tutorial (with httpd in test2 namespace)
๐ฏ Goal
You will:
โ
Deploy an httpd server
โ
Launch test clients to access it
โ
Apply NetworkPolicy to:
- โ Block all traffic
- โ Allow traffic only from specific labeled pods
๐ง Prerequisites
You already have:
httpddeployed using ImageStream (oc new-app httpd -n test2)oc expose svc/httpd -n test2run (optional, for browser access)
โ Step-by-Step Guide
โ
Step 1: Check Internal Access to httpd
Create a PSA-compliant test pod and try connecting to the httpd service:
oc run test-client \
--rm -it \
--restart=Never \
--image=busybox:1.35 \
-n test2 \
--overrides='
{
"apiVersion": "v1",
"spec": {
"securityContext": {
"runAsNonRoot": true,
"seccompProfile": { "type": "RuntimeDefault" }
},
"containers": [{
"name": "test-client",
"image": "busybox:1.35",
"command": ["sh"],
"stdin": true,
"tty": true,
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": ["ALL"]
},
"runAsNonRoot": true
}
}]
}
}'
Code language: PHP (php)Inside the pod:
wget -qO- httpd
โ This should return a response โ all traffic is allowed by default.
Exit:
exit
Code language: PHP (php)๐ซ Step 2: Block All Ingress Traffic to httpd
Create a deny-all NetworkPolicy:
cat <<EOF | oc apply -n test2 -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-to-httpd
spec:
podSelector:
matchLabels:
deployment: httpd
policyTypes:
- Ingress
EOF
This blocks all ingress to httpd pods.
๐ Step 3: Retest (Should Fail Now)
Run the same test-client pod again and try:
wget -qO- httpd
โ It should now fail โ because ingress to
httpdis blocked.
Exit:
exit
Code language: PHP (php)โ
Step 4: Allow Labeled Pods to Access httpd
Deploy a new client pod with access=allowed label:
oc run allowed-client \
--rm -it \
--restart=Never \
--image=busybox:1.35 \
--labels="access=allowed" \
-n test2 \
--overrides='
{
"apiVersion": "v1",
"spec": {
"securityContext": {
"runAsNonRoot": true,
"seccompProfile": { "type": "RuntimeDefault" }
},
"containers": [{
"name": "allowed-client",
"image": "busybox:1.35",
"command": ["sh"],
"stdin": true,
"tty": true,
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": ["ALL"]
},
"runAsNonRoot": true
}
}]
}
}'
Code language: PHP (php)Now create a policy to allow only that pod label:
cat <<EOF | oc apply -n test2 -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-allowed
spec:
podSelector:
matchLabels:
deployment: httpd
ingress:
- from:
- podSelector:
matchLabels:
access: allowed
policyTypes:
- Ingress
EOF
Code language: JavaScript (javascript)Inside the pod:
wget -qO- httpd
โ This should now succeed โ because the pod is allowed.
Exit:
exit
Code language: PHP (php)โ Step 5: Verify Denial from Unlabeled Pods
Run another test pod without label:
oc run denied-client \
--rm -it \
--restart=Never \
--image=busybox:1.35 \
-n test2 \
--overrides='
{
"apiVersion": "v1",
"spec": {
"securityContext": {
"runAsNonRoot": true,
"seccompProfile": { "type": "RuntimeDefault" }
},
"containers": [{
"name": "denied-client",
"image": "busybox:1.35",
"command": ["sh"],
"stdin": true,
"tty": true,
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": ["ALL"]
},
"runAsNonRoot": true
}
}]
}
}'
Code language: PHP (php)Then:
wget -qO- httpd
โ This should fail โ the pod is not allowed by the NetworkPolicy.
Exit:
exit
Code language: PHP (php)โ Summary Table
| Step | Result |
|---|---|
| No policy | All pods can access httpd |
| Deny-all policy | No pod can access httpd |
Allow from access=allowed | Only labeled pods can access |
| Unlabeled pods | Access denied |
Iโm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals