Secure traffic between pods by using network policies in AKS
Muhammad Kashif
Virgin Media O2 Devops Engineer?? | Linux?? |Terraform??? | Docker?? | Kubernetes ?? | Git ?? | CI/CD ?? | GitHub Actions ?? | Grafana??| YAML ?? PowerShell |
When you run modern, microservices-based applications in Kubernetes, you often want to control which components can communicate with each other. The principle of least privilege should be applied to how traffic can flow between pods in an Azure Kubernetes Service (AKS) cluster. Let's say you want to block traffic directly to back-end applications. The network policy feature in Kubernetes lets you define rules for ingress and egress traffic between pods in a cluster.
This article shows you how to install the network policy engine and create Kubernetes network policies to control the flow of traffic between pods in AKS. Network policies could be used for Linux-based or Windows-based nodes and pods in AKS.
Overview of network policy
All pods in an AKS cluster can send and receive traffic without limitations, by default. To improve security, you can define rules that control the flow of traffic. Back-end applications are often only exposed to required front-end services, for example. Or, database components are only accessible to the application tiers that connect to them.
Network policy is a Kubernetes specification that defines access policies for communication between pods. When you use network policies, you define an ordered set of rules to send and receive traffic. You apply the rules to a collection of pods that match one or more label selectors.
The network policy rules are defined as YAML manifests. Network policies can be included as part of a wider manifest that also creates a deployment or service.
Network policy options in AKS
Azure provides three Network Policy engines for enforcing network policies:
Setting up network policies in Azure Kubernetes Service (AKS) helps you control the traffic flow between pods, enhancing the security of your cluster. Here’s a step-by-step guide to get you started:
Step-by-Step Guide to Setting Up Network Policies in AKS
Prerequisites
1- AKS Cluster: Ensure you have an AKS cluster up and running.
2- kubectl: Make sure kubectl is installed and configured to interact with your AKS cluster.
Step 1: Enable Network Policies
When creating your AKS cluster, you can enable network policies using one of the supported network policy engines: Azure Network Policy, Calico, or Cilium. Here’s an example using Azure Network Policy:
领英推荐
az aks create \
--resource-group myResourceGroup \
--name myAKSCluster \
--network-policy azure \
--node-count 3 \
--enable-addons monitoring \
--generate-ssh-keys
If your cluster is already created, you can enable network policies by updating the cluster configuration.
Step 2: Define Network Policies
Network policies are defined using YAML manifests. Here’s an example of a simple network policy that allows traffic only from pods with the label app=frontend to pods with the label app=backend.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
namespace: default
spec:
podSelector:
matchLabels:
app: backend
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
Save this YAML to a file network-policy.yaml.
Step 3: Apply the Network Policy
Apply the network policy to your AKS cluster using kubectl.
kubectl apply -f network-policy.yaml
Step 4: Verify the Network Policy
You can verify that the network policy is applied correctly by checking the pods and their connectivity.
kubectl get networkpolicy
Summary
By following these steps, you can set up and manage network policies in your AKS cluster to control traffic flow between pods. This enhances the security and compliance of your applications.
For more detailed information, you can refer to official documentation in the link below.
If you have any questions or need further assistance, feel free to ask! ??