URL – https://www.devopsschool.com/blog/kubernetes-cks-network-policy-example-code/
🔐 OpenShift NetworkPolicies Tutorial (with httpd
in test2
namespace)
🎯 Goal
You will:
✅ Deploy an httpd
server
✅ Launch test clients to access it
✅ Apply NetworkPolicy
to:
- ❌ Block all traffic
- ✅ Allow traffic only from specific labeled pods
🔧 Prerequisites
You already have:
httpd
deployed using ImageStream (oc new-app httpd -n test2
)oc expose svc/httpd -n test2
run (optional, for browser access)
✅ Step-by-Step Guide
✅ Step 1: Check Internal Access to httpd
Create a PSA-compliant test pod and try connecting to the httpd
service:
oc run test-client \
--rm -it \
--restart=Never \
--image=busybox:1.35 \
-n test2 \
--overrides='
{
"apiVersion": "v1",
"spec": {
"securityContext": {
"runAsNonRoot": true,
"seccompProfile": { "type": "RuntimeDefault" }
},
"containers": [{
"name": "test-client",
"image": "busybox:1.35",
"command": ["sh"],
"stdin": true,
"tty": true,
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": ["ALL"]
},
"runAsNonRoot": true
}
}]
}
}'
Code language: PHP (php)
Inside the pod:
wget -qO- httpd
✅ This should return a response — all traffic is allowed by default.
Exit:
exit
Code language: PHP (php)
🚫 Step 2: Block All Ingress Traffic to httpd
Create a deny-all NetworkPolicy
:
cat <<EOF | oc apply -n test2 -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-to-httpd
spec:
podSelector:
matchLabels:
deployment: httpd
policyTypes:
- Ingress
EOF
This blocks all ingress to httpd
pods.
🔁 Step 3: Retest (Should Fail Now)
Run the same test-client
pod again and try:
wget -qO- httpd
❌ It should now fail — because ingress to
httpd
is blocked.
Exit:
exit
Code language: PHP (php)
✅ Step 4: Allow Labeled Pods to Access httpd
Deploy a new client pod with access=allowed
label:
oc run allowed-client \
--rm -it \
--restart=Never \
--image=busybox:1.35 \
--labels="access=allowed" \
-n test2 \
--overrides='
{
"apiVersion": "v1",
"spec": {
"securityContext": {
"runAsNonRoot": true,
"seccompProfile": { "type": "RuntimeDefault" }
},
"containers": [{
"name": "allowed-client",
"image": "busybox:1.35",
"command": ["sh"],
"stdin": true,
"tty": true,
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": ["ALL"]
},
"runAsNonRoot": true
}
}]
}
}'
Code language: PHP (php)
Now create a policy to allow only that pod label:
cat <<EOF | oc apply -n test2 -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-allowed
spec:
podSelector:
matchLabels:
deployment: httpd
ingress:
- from:
- podSelector:
matchLabels:
access: allowed
policyTypes:
- Ingress
EOF
Code language: JavaScript (javascript)
Inside the pod:
wget -qO- httpd
✅ This should now succeed — because the pod is allowed.
Exit:
exit
Code language: PHP (php)
❌ Step 5: Verify Denial from Unlabeled Pods
Run another test pod without label:
oc run denied-client \
--rm -it \
--restart=Never \
--image=busybox:1.35 \
-n test2 \
--overrides='
{
"apiVersion": "v1",
"spec": {
"securityContext": {
"runAsNonRoot": true,
"seccompProfile": { "type": "RuntimeDefault" }
},
"containers": [{
"name": "denied-client",
"image": "busybox:1.35",
"command": ["sh"],
"stdin": true,
"tty": true,
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": ["ALL"]
},
"runAsNonRoot": true
}
}]
}
}'
Code language: PHP (php)
Then:
wget -qO- httpd
❌ This should fail — the pod is not allowed by the NetworkPolicy.
Exit:
exit
Code language: PHP (php)
✅ Summary Table
Step | Result |
---|---|
No policy | All pods can access httpd |
Deny-all policy | No pod can access httpd |
Allow from access=allowed | Only labeled pods can access |
Unlabeled pods | Access denied |
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND