Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours scrolling social media and waste money on things we forget, but won’t spend 30 minutes a day earning certifications that can change our lives.
Master in DevOps, SRE, DevSecOps & MLOps by DevOpsSchool!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

OpenShift – Practical Guide to NetworkPolicy


URL – https://www.devopsschool.com/blog/kubernetes-cks-network-policy-example-code/



🔐 OpenShift NetworkPolicies Tutorial (with httpd in test2 namespace)


🎯 Goal

You will:

✅ Deploy an httpd server
✅ Launch test clients to access it
✅ Apply NetworkPolicy to:

  • ❌ Block all traffic
  • ✅ Allow traffic only from specific labeled pods

🔧 Prerequisites

You already have:

  • httpd deployed using ImageStream (oc new-app httpd -n test2)
  • oc expose svc/httpd -n test2 run (optional, for browser access)

✅ Step-by-Step Guide


✅ Step 1: Check Internal Access to httpd

Create a PSA-compliant test pod and try connecting to the httpd service:

oc run test-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "test-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Inside the pod:

wget -qO- httpd

✅ This should return a response — all traffic is allowed by default.

Exit:

exit
Code language: PHP (php)

🚫 Step 2: Block All Ingress Traffic to httpd

Create a deny-all NetworkPolicy:

cat <<EOF | oc apply -n test2 -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-to-httpd
spec:
  podSelector:
    matchLabels:
      deployment: httpd
  policyTypes:
    - Ingress
EOF

This blocks all ingress to httpd pods.


🔁 Step 3: Retest (Should Fail Now)

Run the same test-client pod again and try:

wget -qO- httpd

❌ It should now fail — because ingress to httpd is blocked.

Exit:

exit
Code language: PHP (php)

✅ Step 4: Allow Labeled Pods to Access httpd

Deploy a new client pod with access=allowed label:

oc run allowed-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  --labels="access=allowed" \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "allowed-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Now create a policy to allow only that pod label:

cat <<EOF | oc apply -n test2 -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-allowed
spec:
  podSelector:
    matchLabels:
      deployment: httpd
  ingress:
    - from:
        - podSelector:
            matchLabels:
              access: allowed
  policyTypes:
    - Ingress
EOF
Code language: JavaScript (javascript)

Inside the pod:

wget -qO- httpd

✅ This should now succeed — because the pod is allowed.

Exit:

exit
Code language: PHP (php)

❌ Step 5: Verify Denial from Unlabeled Pods

Run another test pod without label:

oc run denied-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "denied-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Then:

wget -qO- httpd

❌ This should fail — the pod is not allowed by the NetworkPolicy.

Exit:

exit
Code language: PHP (php)

✅ Summary Table

StepResult
No policyAll pods can access httpd
Deny-all policyNo pod can access httpd
Allow from access=allowedOnly labeled pods can access
Unlabeled podsAccess denied

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.

0
Would love your thoughts, please comment.x
()
x