Kubernetes Pod-to-Pod Network Policies Battles: A Guide to Locking Things Down
Kubernetes is a powerful platform for orchestrating containerized workloads. But the complexity that comes with that power also brings security headaches. Controlling network traffic between pods, in particular, is critical to the safety of any modern application. That is exactly where Kubernetes pod-to-pod Network Policies step in. In this guide I’ll walk through what Network Policies are, why they matter, and how to put them to work in detail.
In this post we’ll lay the foundation for Kubernetes network security. You’ll learn how to use Network Policies as a shield to protect sensitive data and block unauthorized access to your applications. If you’re ready, let’s dive into the trenches and push the security of your pods as high as it can go.
What Are Network Policies and Why Do They Matter?
In Kubernetes, Network Policies are rules that define which traffic between pods is allowed. By default, every pod in a Kubernetes cluster can talk freely to every other pod. That can open up serious security holes, especially in large, complex systems. Once an attacker compromises a single pod, lateral movement to other pods becomes trivial.
Network Policies flip that default “open” stance to a “closed” one. In other words, no traffic is allowed by default. Only the flows that a Network Policy explicitly permits are able to take place. This is one of the most effective ways to apply the principle of least privilege at the network layer. By only allowing the communication you actually need, you dramatically shrink the attack surface.
How Do Network Policies Work?
Network Policies are defined as Kubernetes API objects, specifically the NetworkPolicy resource. These policies are applied to pods based on labels. A pod is governed by every Network Policy whose selector matches its labels. A Network Policy can describe which pods are allowed to reach a target pod (ingress) and which external entities the target pod is allowed to reach (egress).
Policies can filter traffic using different selectors such as IP blocks, pod labels, or namespaces. For example, you can write rules that only allow a pod to talk to another pod in the same namespace, or to servers in a specific IP range. That flexibility lets you handle even complex network topologies.
A pod can be subject to more than one Network Policy at the same time. When a pod is matched by multiple policies, the union of all their allowed flows is permitted. If no Network Policy targets a pod, all network traffic is permitted by default (which is exactly why you need to configure your policies carefully).
Basic Network Policy Configurations
Now let’s get hands-on. Let me walk through how to apply Network Policies in a Kubernetes cluster. Before you start, make sure your cluster has a Network Policy provider installed. Popular options include Calico, Cilium, and Weave Net. These providers interpret the Network Policy API and enforce traffic rules between pods.
Let’s start with a simple deny-all policy. This will apply to every pod for which we haven’t explicitly stated which traffic is allowed. It’s a safe starting point. After that we’ll grant traffic permissions to specific sets of pods.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: default
spec:
podSelector: {} # Boş podSelector, bu politikayı namespace'deki tüm podlara uygular
policyTypes:
- Ingress
- EgressThe default-deny-all policy above blocks both ingress and egress traffic for every pod in the default namespace. The podSelector: {} expression states that this policy applies to every pod in the namespace. The policyTypes field signals that this policy covers both inbound and outbound traffic.
Restricting Ingress Traffic (Ingress Policies)
Restricting ingress traffic is essential for protecting your application from unauthorized external access. We can let a pod accept traffic only from specific other pods or IP addresses.
For instance, suppose we want a frontend pod to only respond to requests coming from backend pods.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-from-backend
namespace: default
spec:
podSelector:
matchLabels:
app: frontend # Bu politika 'frontend' etiketli podlara uygulanacak
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: backend # 'backend' etiketli podlardan gelen trafiğe izin verThis policy targets pods with the label app: frontend. It only allows ingress traffic from pods labeled app: backend. The practical effect is that the frontend pod will not respond to requests from any source other than backend pods.
Restricting Egress Traffic (Egress Policies)
Restricting egress traffic is just as important as restricting ingress. It means letting a pod connect only to specific external services or other pods inside the cluster. That helps stop an attacker from pivoting from a compromised pod to systems outside the cluster.
For example, we might want a backend pod to only connect to an external database (within a specific IP range) and to frontend pods in its own namespace.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-backend-egress
namespace: default
spec:
podSelector:
matchLabels:
app: backend # Bu politika 'backend' etiketli podlara uygulanacak
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 192.168.10.0/24 # Belirli bir IP aralığına izin ver
ports:
- protocol: TCP
port: 5432
- to:
- podSelector:
matchLabels:
app: frontend # Kendi ad alanındaki 'frontend' podlarına izin verThis policy controls egress traffic for pods with the label app: backend. It allows traffic to TCP port 5432 (a PostgreSQL database, for example) inside the 192.168.10.0/24 IP block, and to pods labeled app: frontend in the same namespace. All other egress traffic is denied by default.
Cross-Namespace Communication
Network Policies don’t only control communication between pods in the same namespace. They can also govern traffic across different namespaces. That is handy in microservice architectures where you want to spell out which services can reach which other services across namespaces.
Imagine that we want an api-gateway pod to be able to connect to the user-service pod in the users namespace and the product-service pod in the products namespace.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-api-gateway-egress
namespace: api # Bu politika 'api' ad alanındaki podlara uygulanacak
spec:
podSelector:
matchLabels:
app: api-gateway
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
name: users # 'users' ad alanını seç
podSelector:
matchLabels:
app: user-service # 'user-service' podunu seç
- to:
- namespaceSelector:
matchLabels:
name: products # 'products' ad alanını seç
podSelector:
matchLabels:
app: product-service # 'product-service' podunu seçThis policy allows the pod labeled app: api-gateway in the api namespace to send traffic to the user-service pod in the users namespace and the product-service pod in the products namespace. By using namespaceSelector, we can target specific namespaces.
Network Policy Providers and Integration
As I mentioned earlier, you need a Network Policy provider (a CNI plugin) installed in your cluster for Network Policies to take effect. These providers watch the Kubernetes API and translate Network Policy objects into network rules that filter traffic between pods.
Some of the more common Network Policy providers are:
- Calico: A high-performance, scalable networking solution. Its Network Policy support is strong.
- Cilium: Uses eBPF (extended Berkeley Packet Filter) technology to deliver advanced networking and security features. It enforces Network Policies efficiently with eBPF.
- Weave Net: Known for being easy to install and operate. It supports Network Policy too.
Once you’ve installed your chosen provider in the cluster, you can start creating Network Policy objects. Each provider may bring its own extras or configuration knobs, so it’s worth reading the documentation for whichever one you’ve picked.
Common Mistakes and Things to Watch For
There are a handful of common mistakes and gotchas to keep in mind when configuring Kubernetes pod-to-pod Network Policies:
- Pods With No Policy: By default, if no Network Policy targets a pod, all traffic is allowed. That’s not what you want from a security standpoint. Make sure every pod is at least covered by a deny-all baseline.
- Wrong Label Selectors: Getting label selectors right is critical for policies to land on the correct pods or namespaces. Typos or missing labels can cause policies to behave very differently from what you intended.
- Missing
policyTypes: If you don’t specifypolicyTypesin a Network Policy, both ingress and egress traffic are allowed by default. That can effectively neutralize the policy. Always state explicitly which traffic direction you want to control. - Wrong Use of
NamespaceSelector: When you usenamespaceSelectorfor cross-namespace flows, double-check that the target namespace actually has the matching labels. - Untested Policies: Always test network policies before pushing them to production. A misconfigured policy can stop critical components from talking to each other and trigger an outage.
Wrap-Up: One Step Ahead in Network Security
Kubernetes pod-to-pod Network Policies are a powerful, flexible tool for securing your containerized workloads. By controlling network traffic at the application layer, you can block unauthorized access and substantially reduce the attack surface. Pulling the principle of least privilege down to the network plane makes your systems both safer and more resilient.
Throughout this guide we walked through the core concepts, configuration patterns, and common scenarios for Network Policies. Remember, a good security strategy demands ongoing iteration and careful tuning. Use Network Policies effectively and you’ll level up the network security posture of your Kubernetes environment. You’re better equipped for the trenches now.
I hope this in-depth guide has expanded your knowledge of Kubernetes network security. Stick around on Mustafa Erbay’s blog for more technology and career content!