What is Network policy and how we can assign to the particular pod in AWS EKS cluster?

A Network Policy in AWS EKS (Elastic Kubernetes Service) is a Kubernetes resource that controls the traffic flow at the IP address or port level (Layer 3 and Layer 4) within a Kubernetes cluster. Network policies define how groups of pods are allowed to communicate with each other and other network endpoints. They are used to enhance security by restricting the communication between pods.

Understanding Network Policies:

1. Ingress rules: Control incoming traffic to the pods.
2. Egress rules: Control outgoing traffic from the pods.

Network policies are implemented by network plugins (CNI – Container Network Interface). To use network policies in EKS, you need to use a CNI plugin that supports them, such as Calico.

Setting Up Network Policies in AWS EKS:

Step 1: Install a CNI Plugin that Supports Network Policies:

Calico is a popular CNI plugin that supports network policies. You can install Calico using a manifest file.

kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml

Step 2: Create a Network Policy:

Network policies are created using YAML configuration files. Below is an example of a network policy that allows specific ingress and egress traffic for a particular pod.

#node-app-network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: node-app-network-policy
  namespace: default
spec:
  podSelector: 
    matchLabels:
      app: node-app
  policyTypes:
  - Ingress
  - Egress
  ingress: 
  - from: 
    - podSelector: 
        matchLabels: 
          app: node-app
    ports:
    - protocol: TCP
      port: 80
  egress: 
  - to:
    - podSelector:
        matchLabels: 
          app: node-app
    ports: 
    - protocol: TCP
      port: 80

In the above example:

1. The network policy is applied to pods with the label app: myapp in the default namespace.
2. Ingress rules allow incoming traffic from other pods with the same label (app: myapp) on TCP port 80.
3. Egress rules allow outgoing traffic to other pods with the same label on TCP port 80.

Step 3: Apply the Network Policy:

Apply the network policy to your EKS cluster using kubectl.

kubectl apply -f node-app-network-policy.yaml

Assigning a Network Policy to a Particular Pod:

To assign a network policy to a particular pod, you need to ensure that the pod has the appropriate labels that match the podSelector in the network policy.

apiVersion: v1
kind: Pod
metadata:
  name: node-app-pod
  namespace: default
  labels:
    app: node-app
spec:
  containers:
  - name: myapp-container
    image: myapp:latest

In the above file, The pod node-app-pod has the label app: node-app, which matches the podSelector in the network policy.

Summary:

1. Install a CNI Plugin: Install a network plugin like Calico that supports network policies.
2. Create a Network Policy: Define ingress and egress rules using a Network Policy YAML file.
3. Apply the Network Policy: Use kubectl apply to apply the network policy to the EKS cluster.
4. Assign to Pods: Ensure pods have the appropriate labels to match the podSelector in the network policy.
5. Verify: Test connectivity to ensure the network policy is enforced correctly.