A Network Policy in AWS EKS (Elastic Kubernetes Service) is a Kubernetes resource that controls the traffic flow at the IP address or port level (Layer 3 and Layer 4) within a Kubernetes cluster. Network policies define how groups of pods are allowed to communicate with each other and other network endpoints. They are used to enhance security by restricting the communication between pods.
Understanding Network Policies:
- Ingress rules: Control incoming traffic to the pods.
- Egress rules: Control outgoing traffic from the pods.
Network policies are implemented by network plugins (CNI – Container Network Interface). To use network policies in EKS, you need to use a CNI plugin that supports them, such as Calico.
Setting Up Network Policies in AWS EKS:
Step 1: Install a CNI Plugin that Supports Network Policies:
Calico is a popular CNI plugin that supports network policies. You can install Calico using a manifest file.
kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
Step 2: Create a Network Policy:
Network policies are created using YAML configuration files. Below is an example of a network policy that allows specific ingress and egress traffic for a particular pod.
#node-app-network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: node-app-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: node-app
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: node-app
ports:
- protocol: TCP
port: 80
egress:
- to:
- podSelector:
matchLabels:
app: node-app
ports:
- protocol: TCP
port: 80
In the above example:
- The network policy is applied to pods with the label
app: myapp
in thedefault
namespace. - Ingress rules allow incoming traffic from other pods with the same label (
app: myapp
) on TCP port 80. - Egress rules allow outgoing traffic to other pods with the same label on TCP port 80.
Step 3: Apply the Network Policy:
Apply the network policy to your EKS cluster using kubectl
.
kubectl apply -f node-app-network-policy.yaml
Assigning a Network Policy to a Particular Pod:
To assign a network policy to a particular pod, you need to ensure that the pod has the appropriate labels that match the podSelector
in the network policy.
apiVersion: v1
kind: Pod
metadata:
name: node-app-pod
namespace: default
labels:
app: node-app
spec:
containers:
- name: myapp-container
image: myapp:latest
In the above file, The pod node-app-pod
has the label app:
node-app, which matches the podSelector
in the network policy.
Summary:
- Install a CNI Plugin: Install a network plugin like Calico that supports network policies.
- Create a Network Policy: Define ingress and egress rules using a Network Policy YAML file.
- Apply the Network Policy: Use
kubectl apply
to apply the network policy to the EKS cluster. - Assign to Pods: Ensure pods have the appropriate labels to match the
podSelector
in the network policy. - Verify: Test connectivity to ensure the network policy is enforced correctly.