Find the Best Cosmetic Hospitals

Explore trusted cosmetic hospitals and make a confident choice for your transformation.

โ€œInvest in yourself โ€” your confidence is always worth it.โ€

Explore Cosmetic Hospitals

Start your journey today โ€” compare options in one place.

Home OpenShift OpenShift – Practical Guide to NetworkPolicy

OpenShift – Practical Guide to NetworkPolicy

OpenShift · May 16, 2025 · 0 Comment

URL – https://www.devopsschool.com/blog/kubernetes-cks-network-policy-example-code/

๐Ÿ” OpenShift NetworkPolicies Tutorial (with httpd in test2 namespace)

๐ŸŽฏ Goal

You will:

โœ… Deploy an httpd server
โœ… Launch test clients to access it
โœ… Apply NetworkPolicy to:

  • โŒ Block all traffic
  • โœ… Allow traffic only from specific labeled pods

๐Ÿ”ง Prerequisites

You already have:

  • httpd deployed using ImageStream (oc new-app httpd -n test2)
  • oc expose svc/httpd -n test2 run (optional, for browser access)

โœ… Step-by-Step Guide

โœ… Step 1: Check Internal Access to httpd

Create a PSA-compliant test pod and try connecting to the httpd service:

oc run test-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "test-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Inside the pod:

wget -qO- httpd

โœ… This should return a response โ€” all traffic is allowed by default.

Exit:

exit
Code language: PHP (php)

๐Ÿšซ Step 2: Block All Ingress Traffic to httpd

Create a deny-all NetworkPolicy:

cat <<EOF | oc apply -n test2 -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-to-httpd
spec:
  podSelector:
    matchLabels:
      deployment: httpd
  policyTypes:
    - Ingress
EOF

This blocks all ingress to httpd pods.

๐Ÿ” Step 3: Retest (Should Fail Now)

Run the same test-client pod again and try:

wget -qO- httpd

โŒ It should now fail โ€” because ingress to httpd is blocked.

Exit:

exit
Code language: PHP (php)

โœ… Step 4: Allow Labeled Pods to Access httpd

Deploy a new client pod with access=allowed label:

oc run allowed-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  --labels="access=allowed" \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "allowed-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Now create a policy to allow only that pod label:

cat <<EOF | oc apply -n test2 -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-allowed
spec:
  podSelector:
    matchLabels:
      deployment: httpd
  ingress:
    - from:
        - podSelector:
            matchLabels:
              access: allowed
  policyTypes:
    - Ingress
EOF
Code language: JavaScript (javascript)

Inside the pod:

wget -qO- httpd

โœ… This should now succeed โ€” because the pod is allowed.

Exit:

exit
Code language: PHP (php)

โŒ Step 5: Verify Denial from Unlabeled Pods

Run another test pod without label:

oc run denied-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "denied-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Then:

wget -qO- httpd

โŒ This should fail โ€” the pod is not allowed by the NetworkPolicy.

Exit:

exit
Code language: PHP (php)

โœ… Summary Table

StepResult
No policyAll pods can access httpd
Deny-all policyNo pod can access httpd
Allow from access=allowedOnly labeled pods can access
Unlabeled podsAccess denied

Find Trusted Cardiac Hospitals

Compare heart hospitals by city and services โ€” all in one place.

Explore Hospitals
Rajesh Kumar
Iโ€™m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at <a href="https://www.cotocus.com/">Cotocus</a>. I share tech blog at <a href="https://www.devopsschool.com/">DevOps School</a>, travel stories at <a href="https://www.holidaylandmark.com/">Holiday Landmark</a>, stock market tips at <a href="https://www.stocksmantra.in/">Stocks Mantra</a>, health and fitness guidance at <a href="https://www.mymedicplus.com/">My Medic Plus</a>, product reviews at <a href="https://www.truereviewnow.com/">TrueReviewNow</a> , and SEO strategies at <a href="https://www.wizbrand.com/">Wizbrand.</a> Do you want to learn <a href="https://www.quantumuting.com/">Quantum Computing</a>? <strong>Please find my social handles as below;</strong> <a href="https://www.rajeshkumar.xyz/">Rajesh Kumar Personal Website</a> <a href="https://www.youtube.com/TheDevOpsSchool">Rajesh Kumar at YOUTUBE</a> <a href="https://www.instagram.com/rajeshkumarin">Rajesh Kumar at INSTAGRAM</a> <a href="https://x.com/RajeshKumarIn">Rajesh Kumar at X</a> <a href="https://www.facebook.com/RajeshKumarLog">Rajesh Kumar at FACEBOOK</a> <a href="https://www.linkedin.com/in/rajeshkumarin/">Rajesh Kumar at LINKEDIN</a> <a href="https://www.wizbrand.com/rajeshkumar">Rajesh Kumar at WIZBRAND</a> <a href="https://www.rajeshkumar.xyz/dailylogs">Rajesh Kumar DailyLogs</a>

Related Posts

OpenShift

List of all Job Roles, Job Titles in Software and IT Companies

· September 28, 2025 · Comments off

The software and IT industry is home to a diverse array of job roles and titles, reflecting the dynamic and ever-evolving nature of technology. From core technical…

Read More
OpenShift

Best DevOps Tools in 2024

· August 21, 2025 · 0 Comment

hereโ€™s a clear, structured breakdown of the Best DevOps Tools (grouped by categories), so you can use it for learning, training, or posts. ๐Ÿš€ Best DevOps Tools…

Read More
OpenShift

OpenShift Install & Configurations using OpenShift Local in windows laptops/desktops

· August 1, 2025 · 0 Comment

Below is the 100% correct and updated step-by-step guide to install and configure OpenShift Local (aka CRC) on Windows 10/11 laptops or desktops using the correct crc…

Read More
OpenShift

Openshift: How to configure Azure openshift ARO with Custom Domain

· July 11, 2025 · 1 Comment

Step-by-Step Guide: Configuring Azure Red Hat OpenShift (ARO) with a Custom Domain Setting up a custom domain for your ARO cluster involves both Azure and DNS provider…

Read More
OpenShift

Openshift: Lab 10 – View performance information using the OpenShift web console

· July 11, 2025 · 1 Comment

Rajesh Kumar Iโ€™m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at…

Read More
OpenShift

Openshift: How to add Helm Repository in Openshift

· July 11, 2025 · 0 Comment

Adding a Helm repository in OpenShift is a common step to manage and deploy Helm charts in your OpenShift cluster. OpenShift supports Helm CLI out of the…

Read More
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x