Alauda Container Platform

Network Policy

INFO

The platform now provides two different UIs for Network Policies. The old one is maintained for compatibility reasons, while the new one is more flexible and provides a native YAML editor. We recommend using the new version.

Please contact the platform administrator to enable the network-policy-next feature gate to access the new UI.

NetworkPolicy is a namespace-scoped Kubernetes resource and implemented by CNI plugins. Through network policies, you can control network traffic of Pods, achieving network isolation and reducing the risk of attacks.

By default, all Pods can communicate freely, allowing ingress and egress traffic from any source. When a NetworkPolicy is applied, the targeted Pods will only accept traffic that matches the spec.

WARNING

Network policies only apply to container traffic. They don't affect Pods running in hostNetwork mode.

Example NetworkPolicy:

# example-network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: example
  namespace: demo-1
  annotations:
    cpaas.io/display-name: test
spec:
  podSelector:
    matchLabels:
      pod-template-hash: 55c84b59bb
  ingress:
    - ports:
        - protocol: TCP
          port: 8989
      from:
        - podSelector:
            matchLabels:
              kubevirt.io/vm: test
  egress:
    - ports:
        - protocol: TCP
          port: 80
      to:
        - ipBlock:
            cidr: 192.168.66.221/23
            except: []
  policyTypes:
    - Ingress
    - Egress
  1. from and 'to' peer support namespaceSelector, podSelector, 'ipBlock'

TOC

Creating NetworkPolicy by using the web console

  1. Enter Container Platform.

  2. In the left navigation bar, click Network > Network Policies.

  3. Click Create Network Policy.

  4. Refer to the following instructions to complete the relevant configuration.

AreaParameterDescription
Target PodPod SelectorEnter the labels of the target Pods in key-value form; if not set, it will apply to all Pods in the current namespace.
Preview of Target Pods Affected by Current PolicyClick Preview to see the target Pods affected by this network policy.
IngressBlock all ingress trafficBlock all ingress traffic to the target Pod.

Note:
  • If Ingress is added to the spec.policyTypes field in YAML without configuring specific rules, the Block all ingress traffic option will automatically be checked when switching back to the form.
  • If the spec.ingress, spec.egress, and spec.policyTypes fields are simultaneously deleted in YAML, the Block all ingress traffic option will automatically be checked when switching back to the form.
Rules

Description: If multiple sources are added in the rules, there is a logical OR relationship between them.		Pods in Current NamespaceMatch Pods with specified labels in the current namespace; only matched Pods can access the target Pod. You can click Preview to see the Pods affected by the current rule. If this item is not configured, all Pods in the current namespace are allowed to access the target Pod by default.
Pods in Current ClusterMatch namespaces or Pods with specified labels in the cluster; only matched Pods can access the target Pod. You can click Preview to see the Pods affected by the current rule.
  • If both namespace and Pod selectors are configured, it will take the intersection of the two, meaning Pods with specified labels will be selected from the specified namespace.
  • If this item is not configured, all Pods from all namespaces in the cluster can access the target Pod by default.
IP RangeEnter the CIDR that can access the target Pod and can exclude CIDR ranges that are not allowed to access the target Pod. If this item is not configured, any traffic can access the target Pod.

Description: You can add exclusion items in the form of example_ip/32 to exclude a single IP address.
PortMatch traffic on specified protocols and ports; numeric ports or port names on Pods can be added. If this item is not configured, all ports will be matched.
EgressBlock all egress trafficBlock all egress traffic to the target Pod.

Note:
  • If Egress is added to the spec.policyTypes field in YAML without configuring specific rules, the Block all egress traffic option will automatically be checked when switching back to the form.
Other ParametersSimilar to the Ingress parameters, this will not be elaborated on here.
  1. Click Create.

Creating NetworkPolicy by using the CLI

kubectl apply -f example-network-policy.yaml

Reference

If you want more details, check out the official docs on Network Policies.