Creating a network policy

As a user with the admin role, you can create a network policy for a namespace.

Creating a network policy

To define granular rules describing ingress or egress network traffic allowed for namespaces in your cluster, you can create a network policy.

If you log in with a user with the cluster-admin role, then you can create a network policy in any namespace in the cluster.

Prerequisites

  • Your cluster uses a cluster network provider that supports NetworkPolicy objects, such as the OpenShift SDN network provider with mode: NetworkPolicy set. This mode is the default for OpenShift SDN.

  • You installed the OpenShift CLI (oc).

  • You are logged in to the cluster with a user with admin privileges.

  • You are working in the namespace that the network policy applies to.

Procedure

  1. Create a policy rule:

    1. Create a <policy_name>.yaml file:

      1. $ touch <policy_name>.yaml

      where:

      <policy_name>

      Specifies the network policy file name.

    2. Define a network policy in the file that you just created, such as in the following examples:

      Deny ingress from all pods in all namespaces

      1. kind: NetworkPolicy
      2. apiVersion: networking.k8s.io/v1
      3. metadata:
      4.   name: deny-by-default
      5. spec:
      6.   podSelector:
      7.   ingress: []

    Allow ingress from all pods in the same namespace

    1. kind: NetworkPolicy
    2. apiVersion: networking.k8s.io/v1
    3. metadata:
    4.   name: allow-same-namespace
    5. spec:
    6.   podSelector:
    7.   ingress:
    8.   - from:
    9.     - podSelector: {}

  2. To create the network policy object, enter the following command:

    1. $ oc apply -f <policy_name>.yaml -n <namespace>

    where:

    <policy_name>

    Specifies the network policy file name.

    <namespace>

    Optional: Specifies the namespace if the object is defined in a different namespace than the current namespace.

    Example output

    1. networkpolicy.networking.k8s.io/default-deny created

If you log in to the web console with cluster-admin privileges, you have a choice of creating a network policy in any namespace in the cluster directly in YAML or from a form in the web console.

Example NetworkPolicy object

The following annotates an example NetworkPolicy object:

  1. kind: NetworkPolicy
  2. apiVersion: networking.k8s.io/v1
  3. metadata:
  4.   name: allow-27107 (1)
  5. spec:
  6.   podSelector: (2)
  7.     matchLabels:
  8.       app: mongodb
  9.   ingress:
  10.   - from:
  11.     - podSelector: (3)
  12.         matchLabels:
  13.           app: app
  14.     ports: (4)
  15.     - protocol: TCP
  16.       port: 27017
1The name of the NetworkPolicy object.
2A selector that describes the pods to which the policy applies. The policy object can only select pods in the project that defines the NetworkPolicy object.
3A selector that matches the pods from which the policy object allows ingress traffic. The selector matches pods in the same namespace as the NetworkPolicy.
4A list of one or more destination ports on which to accept traffic.

Additional resources