Deny Ingress Traffic That Has No Rules

An effective network security rule starts with denying all traffic by default unless explicitly allowed. This is how firewalls work. By default, Kubernetes regards any pod that is not selected by a NetworkPolicy as “non-isolated”. This means all ingress and egress traffic is allowed. So, a good foundation is to deny all traffic by default unless a NetworkPolicy rule defines which connections should pass. A NetworkPolicy definition for denying all ingress traffic may look like this:

Steps

git clone https://github.com/collabnix/kubelabs.git
cd kubelabs/Network_Policies101/
wget -q --timeout=5 nginx -O -

It should return the HTML of the nginx welcome page.

wget -q --timeout=5 google.com -O -

It should return the HTML of the google.com home page.

Enable ingress isolation on the namespace by deploying a default-deny-ingress policy

kubectl apply -f default-deny-ingress.yaml

Verify Access - Denied All Ingress

Because all pods in the namespace are now selected, any ingress traffic which is not explicitly allowed by a policy will be denied.

We can see that this is the case by switching over to our “access” pod in the namespace and attempting to access the nginx service.

kubectl run --namespace=advanced-policy-demo access --rm -ti --image busybox /bin/sh

/ # wget -q --timeout=5 nginx -O -
wget: download timed out
/ #

Next, try to access google.com.

wget -q --timeout=5 google.com -O -
<!doctype html><html itemscope="" itemt

We can see that the ingress access to the nginx service is denied while egress access to outbound internet is still allowed.

You can clean up after this tutorial by deleting the network-policy-demo namespace.

kubectl delete ns network-policy-demo