Kubernetes Network Policies

SUMMARY Juniper Cloud-Native Contrail^® Networking^™ (CN2) lets you deploy Kubernetes network policies within the Contrail firewall security policy framework. You must use a Container Network Interface (CNI) that supports NetworkPolicy, like Contrail, to deploy a network policy. This topic provides information about how to deploy a Kubernetes network policy in environments running CN2.

Kubernetes Network Policy Overview

Kubernetes network policies let you specify how pods communicate with other pods and network endpoints. A Kubernetes NetworkPolicy resource enables a pod to communicate with:

Other pods in the allowlist (a pod cannot block access to itself).
Namespaces in the allowlist.
IP blocks, or Classless Inter-Domain Routing (CIDR).

Kubernetes network policies apply only to pods within a namespace and define ingress (source) and egress (destination) rules. Kubernetes network policies have the following characteristics when applied to a pod:

Pod specific and apply to a single pod or a group of pods. Network policy rules dictate the traffic to that pod.
Define traffic rules for a pod for ingress traffic, egress traffic, or both. If you don't specify a direction explicitly, the policy applies to the ingress direction by default.
Must contain explicit rules that specify traffic from the allowlist in the ingress and egress directions. Traffic that does not match the allowlist rules is denied.
Permitted traffic includes traffic matching any of the network policies applied to a pod.

Kubernetes network policies have the following additional characteristics:

When not applied to a pod, that pod accepts traffic from all sources.
Act on connections rather than individual packets. For example, if traffic from pod A to pod B is allowed by the configured policy, then the packets from pod B to pod A are also allowed, even if the policy in place does not allow pod B to initiate a connection to pod A.

A Kubernetes network policy comprises the following sections:

spec: Describes the desired state of a Kubernetes object. For a network policy, the podSelector and policyTypes fields within the spec specify the rules for that policy.
podSelector: Selects the groups of pods to which the policy applies. An empty podSelector selects all pods in the namespace.
policyTypes: Specifies whether the policy applies to ingress traffic from selected pods or egress traffic to selected pods. If no policyTypes are specified, the ingress direction is selected by default.
ingress: Allows ingress traffic that matches the from and ports sections. In the following example, the ingress rule allows connections to all pods in the dev namespace with the label app: webserver-dev on TCP port 80 from:
- Any pod in the default namespace with the label app: client1-dev.
- All IP addresses within the 10.169.25.20/32 range.
- Any pod in the default namespace with the label project: jtac.
egress: Allows egress traffic that matches the to and portssections. In Example 1, the egress rule allows connections from any pod in the default namespace with the label app: dbserver-dev to port TCP 80.
ipBlock: Selects IP CIDR ranges to allow as ingress sources or egress destinations. The ipBlock section of a network policy contains the following two fields:
- cidr (ipBlock.cidr): The network policy allows egress traffic to, or ingress traffic from, the specified IP range.
- except (ipBlock.except): Kubernetes expects traffic in the specified IP range not to match the policy. The network policy denies ingress traffic to, or egress traffic from, the IP range specified in except.

The following NetworkPolicy resource example shows ingress and egress rules:

In this example, ingress TCP traffic from IPs within CIDR 10.169.25.20/32 from port: 80 is allowed. Egress traffic to pods with matchLabels app: dbserver-dev to TCP port: 80 is allowed.

Deploy a Kubernetes Network Policy in Cloud-Native Contrail Networking

In CN2, after you configure and deploy a Kubernetes network policy, that policy is created automatically in Contrail. Here's an example of a Kubernetes network policy:

This policy results in the following objects being created in CN2:

Table 1: Tags
Key	Value
role	db
namespace	default
project	myproject
role	frontend

Table 2: Address Groups
Name	Prefix
test-network-policy-except	172.17.1.0/24
test-network-policy	172.17.0.0/16
test-network-policy-egress	10.0.0.0/24

Table 3: Firewall Rules
Rule Name	Action	Service	Endpoint1	Direction	Endpoint2
default-ingress-test-network-policy-0-ipBlock-0-17x.xx.1.0/24-0	deny	tcp:6379	role=db && namespace=default	ingress	Address Group: 172.17.1.0/24
default-ingress-test-network-policy-0-ipBlock-0-cidr-17x.xx.0.0/16-0	pass	tcp:6379	role=db && namespace=default	ingress	Address Group: 172.17.0.0/16
default-ingress-test-network-policy-0-namespaceSelector-1-0	pass	tcp:6379	role=db && namespace=default	ingress	project=myproject
default-ingress-test-network-policy-0-podSelector-2-0	pass	tcp:6379	role=db && namespace=default	ingress	namespace=default && role=frontend
default-egress-test-network-policy-ipBlock-0-cidr-10.0.0.0/24-0	pass	tcp:5978	role=db && namespace=default	egress	Address Group: 10.0.0.0/24

Table 4: Firewall Policy
Name	Rules
default-test-network-policy	default-ingress-test-network-policy-0-ipBlock-0-172.17.1.0/24-0, default-ingress-test-network-policy-0-ipBlock-0-cidr-172.17.0.0/16-0 default-ingress-test-network-policy-0-namespaceSelector-1-0 default-ingress-test-network-policy-0-podSelector-2-0, default-egress-test-network-policy-ipBlock-0-cidr-10.0.0.0/24-0

Kubernetes Network Policy matchExpressions

Starting in Cloud-Native Contrail Networking (CN2) version 22.3, CN2 supports Kubernetes Network Policy with matchExpressions. For more information about matchExpressions, see "Resources that support set-based requirements" in the Kubernetes documentation.

ON THIS PAGE

Kubernetes Network Policies

Kubernetes Network Policy Overview

Deploy a Kubernetes Network Policy in Cloud-Native Contrail Networking

Kubernetes Network Policy matchExpressions