β Validated for OpenShift 4.16.30 (Kubernetes v1.29.10)
𧱠Objective
- Deploy a simple Apache HTTP server using
openshift/httpd - Deploy a test pod to simulate network access
- Apply
NetworkPolicyto:- Allow or deny access based on pod labels and namespaces
π¦ Step 1: Pre-Requisites
- You must have:
- A running OpenShift 4.16+ cluster
- Access to the
ocCLI - Permissions to create
NetworkPolicyin your namespace
oc login --token=xxx --server=https://your-cluster-api:6443
oc new-project netpol-demo
π Step 2: Deploy Apache HTTP Server
oc new-app --name=my-httpd --image-stream=openshift/httpd
This will:
- Deploy the
httpdpod - Create a Service named
my-httpd
π Confirm deployment:
oc get pods
oc get svc
π§ͺ Step 3: Deploy a Test Pod to Simulate Access
oc run test-client --image=registry.access.redhat.com/ubi8/ubi --command -- sleep 3600
Wait a few seconds, then exec into it:
oc exec -it pod/test-client -- bash
curl http://my-httpd:8080
β You should see an HTTP response (e.g., HTML page)
π Step 4: Apply a Deny-All NetworkPolicy
Now apply a default deny-all ingress policy:
# deny-all.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
oc apply -f deny-all.yaml
π Test again:
oc exec -it pod/test-client -- curl http://my-httpd:8080
β It should now fail with timeout β all ingress is blocked.
β Step 5: Allow Access Only from Labeled Pods
Label your test-client pod:
oc label pod test-client access=httpd-client
Create a NetworkPolicy to allow only pods with that label:
# allow-httpd-from-labeled-pods.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-httpd-from-specific-pod
spec:
podSelector:
matchLabels:
app: my-httpd
ingress:
- from:
- podSelector:
matchLabels:
access: httpd-client
policyTypes:
- Ingress
oc apply -f allow-httpd-from-labeled-pods.yaml
π Re-test:
oc exec -it pod/test-client -- curl http://my-httpd:8080
β Access is restored only for labeled pod.
π‘οΈ Step 6: Add a Pod in Another Namespace to Prove Isolation
Create another namespace:
oc new-project outside-namespace
Run a test pod:
oc run outsider --image=registry.access.redhat.com/ubi8/ubi --command -- sleep 3600
Try accessing:
oc exec -it pod/outsider -n outside-namespace -- curl http://my-httpd.netpol-demo.svc:8080
β Should fail β external namespace is blocked by policy
β Summary of What You Experienced
| Scenario | Access Status |
|---|---|
| Any pod (no policy) | β Allowed |
| After Deny-All | β Blocked |
| Labeled pod with allow policy | β Allowed |
| External namespace pod | β Blocked |
π Key Concepts Practiced
| Concept | What You Did |
|---|---|
| NetworkPolicy | Controlled access to httpd service |
| PodSelector | Matched specific workloads by label |
| NamespaceScope | Isolated access from other namespaces |
| Testing access | Used curl from test pods |
Iβm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I am working at Cotocus. I blog tech insights at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at I reviewed , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at PINTEREST
Rajesh Kumar at QUORA
Rajesh Kumar at WIZBRAND
