Skip to main content

5.5.3 Network Security Policy

Youtube ๐Ÿ“บ

The Network Security Policy that we now need to apply in order to enable communication within the subjected namespace is as shown below.

# Allow Only ports 8080 and 5432 in ingress. Egress All
resource "kubernetes_network_policy" "allow_http_pgsql" {
  metadata {
    name      = "allow-http-pgsql"
    namespace = "s4cp"
  }

  spec {
    pod_selector {
      match_labels = {
        app = "s4cp"
      }
    }
    ingress {
      ports {
        port     = "8080"
        protocol = "TCP"
      }
      ports {
        port     = "5432"
        protocol = "TCP"
      }
    }
    egress {}
    policy_types = ["Ingress", "Egress"]
  }
}

This Network Policy is designed to control the network traffic for pods labeled "app=s4cp" in the "s4cp" namespace. It allows incoming traffic on ports 8080(Application) and 5432(Database) while leaving egress traffic unrestricted. This policy enforces security controls on network communication for pods with the specified label selector.

โ–ถ๏ธ Applying NetPolโ€‹

Let's apply the above network security policy using the command below, which will make our app working again !

cd ~/playground/
cp -r ~/s4cpcode/chapter5/5I/. ~/playground/
git status
git add .
git commit -m "installing netpol"
git push

๐Ÿš€ Application Upโ€‹

  • If we now view the application it is working perfectly now !

๐Ÿ‘๏ธ View NetPolโ€‹

  • Login as Goku and then view the NetPolicy as shown below
awsmfa -i goku arn:aws:iam::<prod-ic>:role/AssumeRoleK8sAdminWithMFAprod
kubectl get netpol -n s4cp
kubectl describe netpol allow-http-pgsql -n s4cp

End of Chapter 5

That completes the Chapter 5, for chapter 6 there is no dependency on Chapter 5 but has dependencies on the chapters 1,2,3