Find the Best Cosmetic Hospitals

Explore trusted cosmetic hospitals and make a confident choice for your transformation.

โ€œInvest in yourself โ€” your confidence is always worth it.โ€

Explore Cosmetic Hospitals

Start your journey today โ€” compare options in one place.

OpenShift – Practical Guide to NetworkPolicy


URL – https://www.devopsschool.com/blog/kubernetes-cks-network-policy-example-code/



๐Ÿ” OpenShift NetworkPolicies Tutorial (with httpd in test2 namespace)


๐ŸŽฏ Goal

You will:

โœ… Deploy an httpd server
โœ… Launch test clients to access it
โœ… Apply NetworkPolicy to:

  • โŒ Block all traffic
  • โœ… Allow traffic only from specific labeled pods

๐Ÿ”ง Prerequisites

You already have:

  • httpd deployed using ImageStream (oc new-app httpd -n test2)
  • oc expose svc/httpd -n test2 run (optional, for browser access)

โœ… Step-by-Step Guide


โœ… Step 1: Check Internal Access to httpd

Create a PSA-compliant test pod and try connecting to the httpd service:

oc run test-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "test-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Inside the pod:

wget -qO- httpd

โœ… This should return a response โ€” all traffic is allowed by default.

Exit:

exit
Code language: PHP (php)

๐Ÿšซ Step 2: Block All Ingress Traffic to httpd

Create a deny-all NetworkPolicy:

cat <<EOF | oc apply -n test2 -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-to-httpd
spec:
  podSelector:
    matchLabels:
      deployment: httpd
  policyTypes:
    - Ingress
EOF

This blocks all ingress to httpd pods.


๐Ÿ” Step 3: Retest (Should Fail Now)

Run the same test-client pod again and try:

wget -qO- httpd

โŒ It should now fail โ€” because ingress to httpd is blocked.

Exit:

exit
Code language: PHP (php)

โœ… Step 4: Allow Labeled Pods to Access httpd

Deploy a new client pod with access=allowed label:

oc run allowed-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  --labels="access=allowed" \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "allowed-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Now create a policy to allow only that pod label:

cat <<EOF | oc apply -n test2 -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-allowed
spec:
  podSelector:
    matchLabels:
      deployment: httpd
  ingress:
    - from:
        - podSelector:
            matchLabels:
              access: allowed
  policyTypes:
    - Ingress
EOF
Code language: JavaScript (javascript)

Inside the pod:

wget -qO- httpd

โœ… This should now succeed โ€” because the pod is allowed.

Exit:

exit
Code language: PHP (php)

โŒ Step 5: Verify Denial from Unlabeled Pods

Run another test pod without label:

oc run denied-client \
  --rm -it \
  --restart=Never \
  --image=busybox:1.35 \
  -n test2 \
  --overrides='
{
  "apiVersion": "v1",
  "spec": {
    "securityContext": {
      "runAsNonRoot": true,
      "seccompProfile": { "type": "RuntimeDefault" }
    },
    "containers": [{
      "name": "denied-client",
      "image": "busybox:1.35",
      "command": ["sh"],
      "stdin": true,
      "tty": true,
      "securityContext": {
        "allowPrivilegeEscalation": false,
        "capabilities": {
          "drop": ["ALL"]
        },
        "runAsNonRoot": true
      }
    }]
  }
}'
Code language: PHP (php)

Then:

wget -qO- httpd

โŒ This should fail โ€” the pod is not allowed by the NetworkPolicy.

Exit:

exit
Code language: PHP (php)

โœ… Summary Table

StepResult
No policyAll pods can access httpd
Deny-all policyNo pod can access httpd
Allow from access=allowedOnly labeled pods can access
Unlabeled podsAccess denied

Find Trusted Cardiac Hospitals

Compare heart hospitals by city and services โ€” all in one place.

Explore Hospitals
Iโ€™m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at <a href="https://www.cotocus.com/">Cotocus</a>. I share tech blog at <a href="https://www.devopsschool.com/">DevOps School</a>, travel stories at <a href="https://www.holidaylandmark.com/">Holiday Landmark</a>, stock market tips at <a href="https://www.stocksmantra.in/">Stocks Mantra</a>, health and fitness guidance at <a href="https://www.mymedicplus.com/">My Medic Plus</a>, product reviews at <a href="https://www.truereviewnow.com/">TrueReviewNow</a> , and SEO strategies at <a href="https://www.wizbrand.com/">Wizbrand.</a> Do you want to learn <a href="https://www.quantumuting.com/">Quantum Computing</a>? <strong>Please find my social handles as below;</strong> <a href="https://www.rajeshkumar.xyz/">Rajesh Kumar Personal Website</a> <a href="https://www.youtube.com/TheDevOpsSchool">Rajesh Kumar at YOUTUBE</a> <a href="https://www.instagram.com/rajeshkumarin">Rajesh Kumar at INSTAGRAM</a> <a href="https://x.com/RajeshKumarIn">Rajesh Kumar at X</a> <a href="https://www.facebook.com/RajeshKumarLog">Rajesh Kumar at FACEBOOK</a> <a href="https://www.linkedin.com/in/rajeshkumarin/">Rajesh Kumar at LINKEDIN</a> <a href="https://www.wizbrand.com/rajeshkumar">Rajesh Kumar at WIZBRAND</a> <a href="https://www.rajeshkumar.xyz/dailylogs">Rajesh Kumar DailyLogs</a>

Related Posts

Best DevOps Tools in 2024

hereโ€™s a clear, structured breakdown of the Best DevOps Tools (grouped by categories), so you can use it for learning, training, or posts. ๐Ÿš€ Best DevOps Tools…

Read More

OpenShift Tutorial โ€“ Deploy and Access Your First Applications using OpenShift Local

How to install oc? OpenShift: How to Install OpenShift CLI oc How to login? Login to the Openshift using Web Console and CLI using oc Copy the admin…

Read More

OpenShift Lab 14: Setting Up and Using OpenShift Serverless Functions on OpenShift Local

Lab Objective In this lab, you will install and use OpenShift Serverless Functions on OpenShift Local. You will create a simple Node.js serverless function, deploy it to…

Read More

OpenShift Lab 13: Deploy a Java Spring Boot Application with MySQL Using the OpenShift Web Console

Lab Objective In this lab, you will deploy a Java Spring Boot application on OpenShift using the OpenShift web console. You will deploy two components: The Java…

Read More

OpenShift Lab 12: Deploy an Application from an Existing Container Image Using the OpenShift Web Console

Lab Objective In this lab, you will deploy an application on OpenShift from an existing container image. This lab is different from building an application from source…

Read More

OpenShift: How to Install OpenShift CLIย oc

Option – 1 – REDHAT Websites URL – https://access.redhat.com/downloads/content/290/ver=4.18/rhel—9/4.18.11/x86_64/product-software Option – 2 – OKD Websites The OKD (Origin Community Distribution of Kubernetes for OpenShift) is the open-source…

Read More
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
0
Would love your thoughts, please comment.x
()
x