Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours scrolling social media and waste money on things we forget, but won’t spend 30 minutes a day earning certifications that can change our lives.
Master in DevOps, SRE, DevSecOps & MLOps by DevOpsSchool!

Learn from Guru Rajesh Kumar and double your salary in just one year.

URL – https://www.devopsschool.com/blog/kubernetes-cks-network-policy-example-code/

🔐 OpenShift NetworkPolicies Tutorial (with `httpd` in `test2` namespace)

🎯 Goal

You will:

✅ Deploy an httpd server
✅ Launch test clients to access it
✅ Apply NetworkPolicy to:

❌ Block all traffic
✅ Allow traffic only from specific labeled pods

🔧 Prerequisites

You already have:

httpd deployed using ImageStream (oc new-app httpd -n test2)
oc expose svc/httpd -n test2 run (optional, for browser access)

✅ Step-by-Step Guide

✅ Step 1: Check Internal Access to `httpd`

Create a PSA-compliant test pod and try connecting to the httpd service:

oc run test-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "test-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Inside the pod:

wget -qO- httpd

✅ This should return a response — all traffic is allowed by default.

Exit:

exit
Code language: PHP (php)

🚫 Step 2: Block All Ingress Traffic to `httpd`

Create a deny-all NetworkPolicy:

cat <<EOF | oc apply -n test2 -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-to-httpd
spec:
  podSelector:
    matchLabels:
      deployment: httpd
  policyTypes:
    - Ingress
EOF

This blocks all ingress to httpd pods.

🔁 Step 3: Retest (Should Fail Now)

Run the same test-client pod again and try:

wget -qO- httpd

❌ It should now fail — because ingress to httpd is blocked.

Exit:

exit
Code language: PHP (php)

✅ Step 4: Allow Labeled Pods to Access `httpd`

Deploy a new client pod with access=allowed label:

oc run allowed-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  --labels="access=allowed" \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "allowed-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Now create a policy to allow only that pod label:

cat <<EOF | oc apply -n test2 -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-allowed
spec:
  podSelector:
    matchLabels:
      deployment: httpd
  ingress:
    - from:
        - podSelector:
            matchLabels:
              access: allowed
  policyTypes:
    - Ingress
EOF
Code language: JavaScript (javascript)

Inside the pod:

wget -qO- httpd

✅ This should now succeed — because the pod is allowed.

Exit:

exit
Code language: PHP (php)

❌ Step 5: Verify Denial from Unlabeled Pods

Run another test pod without label:

oc run denied-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "denied-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Then:

wget -qO- httpd

❌ This should fail — the pod is not allowed by the NetworkPolicy.

Exit:

exit
Code language: PHP (php)

✅ Summary Table

Step	Result
No policy	All pods can access `httpd`
Deny-all policy	No pod can access `httpd`
Allow from `access=allowed`	Only labeled pods can access
Unlabeled pods	Access denied

Rajesh Kumar

I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.

Do you want to learn Quantum Computing?

Please find my social handles as below;

Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs: