URL – https:\/\/www.devopsschool.com\/blog\/kubernetes-cks-network-policy-example-code\/<\/p>\n\n\n\n
<\/p>\n\n\n\n
httpd<\/code> in test2<\/code> namespace)<\/h1>\n\n\n\n
\n\n\n\n\ud83c\udfaf Goal<\/h2>\n\n\n\n
You will:<\/p>\n\n\n\n
\u2705 Deploy an httpd<\/code> server
\u2705 Launch test clients to access it
\u2705 Apply NetworkPolicy<\/code> to:<\/p>\n\n\n\n\n- \u274c Block all traffic<\/li>\n\n\n\n
- \u2705 Allow traffic only from specific labeled pods<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n\ud83d\udd27 Prerequisites<\/h2>\n\n\n\n
You already have:<\/p>\n\n\n\n
\nhttpd<\/code> deployed using ImageStream (oc new-app httpd -n test2<\/code>)<\/li>\n\n\n\noc expose svc\/httpd -n test2<\/code> run (optional, for browser access)<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n\u2705 Step-by-Step Guide<\/h2>\n\n\n\n
\n\n\n\n\u2705 Step 1: Check Internal Access to httpd<\/code><\/h3>\n\n\n\nCreate a PSA-compliant test pod<\/strong> and try connecting to the httpd<\/code> service:<\/p>\n\n\noc run test-client \\\n --rm -it \\\n --restart=Never \\\n --image=busybox:1.35<\/span> \\\n -n test2 \\\n --overrides='\n{\n \"apiVersion\": \"v1\",\n \"spec\": {\n \"securityContext\": {\n \"runAsNonRoot\": true,\n \"seccompProfile\": { \"type\": \"RuntimeDefault\" }\n },\n \"containers\": [{\n \"name\": \"test-client\",\n \"image\": \"busybox:1.35\",\n \"command\": [\"sh\"],\n \"stdin\": true,\n \"tty\": true,\n \"securityContext\": {\n \"allowPrivilegeEscalation\": false,\n \"capabilities\": {\n \"drop\": [\"ALL\"]\n },\n \"runAsNonRoot\": true\n }\n }]\n }\n}'<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\nInside the pod:<\/p>\n\n\n
wget -qO- httpd\n<\/code><\/span><\/pre>\n\n\n\n\u2705 This should return a response \u2014 all traffic is allowed by default.<\/p>\n<\/blockquote>\n\n\n\n
Exit:<\/p>\n\n\n
exit<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
\n\n\n\n\ud83d\udeab Step 2: Block All Ingress Traffic to httpd<\/code><\/h3>\n\n\n\nCreate a deny-all NetworkPolicy<\/code>:<\/p>\n\n\ncat <<EOF | oc apply -n test2 -f -\napiVersion: networking.k8s.io\/v1\nkind: NetworkPolicy\nmetadata:\n name: deny-all-to-httpd\nspec:\n podSelector:\n matchLabels:\n deployment: httpd\n policyTypes:\n - Ingress\nEOF\n<\/code><\/span><\/pre>\n\n\nThis blocks all ingress<\/strong> to httpd<\/code> pods.<\/p>\n\n\n\n
\n\n\n\n\ud83d\udd01 Step 3: Retest (Should Fail Now)<\/h3>\n\n\n\n
Run the same test-client<\/code> pod again and try:<\/p>\n\n\nwget -qO- httpd\n<\/code><\/span><\/pre>\n\n\n\n\u274c It should now fail<\/strong> \u2014 because ingress to httpd<\/code> is blocked.<\/p>\n<\/blockquote>\n\n\n\nExit:<\/p>\n\n\n
exit<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
\n\n\n\n\u2705 Step 4: Allow Labeled Pods to Access httpd<\/code><\/h3>\n\n\n\nDeploy a new client pod with access=allowed<\/code> label:<\/p>\n\n\noc run allowed-client \\\n --rm -it \\\n --restart=Never \\\n --image=busybox:1.35<\/span> \\\n --labels=\"access=allowed\"<\/span> \\\n -n test2 \\\n --overrides='\n{\n \"apiVersion\": \"v1\",\n \"spec\": {\n \"securityContext\": {\n \"runAsNonRoot\": true,\n \"seccompProfile\": { \"type\": \"RuntimeDefault\" }\n },\n \"containers\": [{\n \"name\": \"allowed-client\",\n \"image\": \"busybox:1.35\",\n \"command\": [\"sh\"],\n \"stdin\": true,\n \"tty\": true,\n \"securityContext\": {\n \"allowPrivilegeEscalation\": false,\n \"capabilities\": {\n \"drop\": [\"ALL\"]\n },\n \"runAsNonRoot\": true\n }\n }]\n }\n}'<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\nNow create a policy to allow only that pod label:<\/p>\n\n\n
cat <<EOF | oc apply -n test2 -f -\napiVersion: networking.k8s.io\/v1\nkind<\/span>: NetworkPolicy\nmetadata<\/span>:\n name: allow-from<\/span>-allowed\nspec<\/span>:\n podSelector:\n matchLabels:\n deployment: httpd\n ingress<\/span>:\n - from<\/span>:\n - podSelector:\n matchLabels:\n access: allowed\n policyTypes<\/span>:\n - Ingress\nEOF\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\nInside the pod:<\/p>\n\n\n
wget -qO- httpd\n<\/code><\/span><\/pre>\n\n\n\n\u2705 This should now succeed<\/strong> \u2014 because the pod is allowed.<\/p>\n<\/blockquote>\n\n\n\nExit:<\/p>\n\n\n
exit<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
\n\n\n\n\u274c Step 5: Verify Denial from Unlabeled Pods<\/h3>\n\n\n\n
Run another test pod without<\/strong> label:<\/p>\n\n\noc run denied-client \\\n --rm -it \\\n --restart=Never \\\n --image=busybox:1.35<\/span> \\\n -n test2 \\\n --overrides='\n{\n \"apiVersion\": \"v1\",\n \"spec\": {\n \"securityContext\": {\n \"runAsNonRoot\": true,\n \"seccompProfile\": { \"type\": \"RuntimeDefault\" }\n },\n \"containers\": [{\n \"name\": \"denied-client\",\n \"image\": \"busybox:1.35\",\n \"command\": [\"sh\"],\n \"stdin\": true,\n \"tty\": true,\n \"securityContext\": {\n \"allowPrivilegeEscalation\": false,\n \"capabilities\": {\n \"drop\": [\"ALL\"]\n },\n \"runAsNonRoot\": true\n }\n }]\n }\n}'<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\nThen:<\/p>\n\n\n
wget -qO- httpd\n<\/code><\/span><\/pre>\n\n\n\n\u274c This should fail \u2014 the pod is not allowed by the NetworkPolicy.<\/p>\n<\/blockquote>\n\n\n\n
Exit:<\/p>\n\n\n
exit<\/span>\n<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
\n\n\n\n\u2705 Summary Table<\/h2>\n\n\n\nStep<\/th> Result<\/th><\/tr><\/thead> No policy<\/td> All pods can access httpd<\/code><\/td><\/tr>Deny-all policy<\/td> No pod can access httpd<\/code><\/td><\/tr>Allow from access=allowed<\/code><\/td>Only labeled pods can access<\/td><\/tr> Unlabeled pods<\/td> Access denied<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
URL – https:\/\/www.devopsschool.com\/blog\/kubernetes-cks-network-policy-example-code\/ \ud83d\udd10 OpenShift NetworkPolicies Tutorial (with httpd in test2 namespace) \ud83c\udfaf Goal You will: \u2705 Deploy an httpd server\u2705 Launch test clients to access it\u2705 Apply NetworkPolicy to:… <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[5153],"tags":[],"class_list":["post-49337","post","type-post","status-publish","format-standard","hentry","category-openshift"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49337","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=49337"}],"version-history":[{"count":4,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49337\/revisions"}],"predecessor-version":[{"id":49765,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49337\/revisions\/49765"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=49337"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=49337"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=49337"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}