How do I restrict pod-to-pod communication using labels in Kubernetes?
In this guide, we’re going to look at how to restrict pod-to-pod communication using labels in Kubernetes. This will involve creating a NetworkPolicy that enforces rules on how pods can communicate with each other based on their labels. Such network policies are crucial for securing your Kubernetes environment by limiting access controls at the network level.
Overview
We will define a NetworkPolicy in Kubernetes which restricts the traffic between pods based on specified labels. This example will include:
- A namespace for isolation.
- Two sets of pods with different labels.
- A NetworkPolicy that only allows communication between pods with specific labels.
Detailed Explanation
- Namespace: We’ll create a namespace to scope our resources.
- Pods: We’ll create two deployments with different labels.
- NetworkPolicy: We’ll define a NetworkPolicy to control pod-to-pod traffic based on labels.
Key Points:
- Namespace: Create and manage a set of Kubernetes resources.
- Labels: Use labels to apply constraints and policies on Kubernetes resources.
- NetworkPolicy: Enforce networking rules in a Kubernetes cluster for traffic control.
Below is the complete example of the configuration:
import * as pulumi from "@pulumi/pulumi";
import * as kubernetes from "@pulumi/kubernetes";
// Define the namespace
const example = new kubernetes.core.v1.Namespace("example", {metadata: {
name: "example-namespace",
}});
// Define the first deployment with label 'app: frontend'
const frontend = new kubernetes.apps.v1.Deployment("frontend", {
metadata: {
name: "frontend",
namespace: example.metadata.apply(metadata => metadata.name),
labels: {
app: "frontend",
},
},
spec: {
replicas: 3,
selector: {
matchLabels: {
app: "frontend",
},
},
template: {
metadata: {
labels: {
app: "frontend",
},
},
spec: {
containers: [{
name: "nginx",
image: "nginx:1.14.2",
}],
},
},
},
});
// Define the second deployment with label 'app: backend'
const backend = new kubernetes.apps.v1.Deployment("backend", {
metadata: {
name: "backend",
namespace: example.metadata.apply(metadata => metadata.name),
labels: {
app: "backend",
},
},
spec: {
replicas: 3,
selector: {
matchLabels: {
app: "backend",
},
},
template: {
metadata: {
labels: {
app: "backend",
},
},
spec: {
containers: [{
name: "nginx",
image: "nginx:1.14.2",
}],
},
},
},
});
// Define the NetworkPolicy to restrict communication
const networkPolicy = new kubernetes.networking.v1.NetworkPolicy("network_policy", {
metadata: {
name: "allow-frontend-to-backend",
namespace: example.metadata.apply(metadata => metadata.name),
},
spec: {
podSelector: {
matchLabels: {
app: "backend",
},
},
policyTypes: ["Ingress"],
ingress: [{
from: [{
podSelector: {
matchLabels: {
app: "frontend",
},
},
}],
}],
},
});
export const namespaceName = example.metadata.apply(metadata => metadata.name);
export const frontendDeploymentName = frontend.metadata.apply(metadata => metadata.name);
export const backendDeploymentName = backend.metadata.apply(metadata => metadata.name);
export const networkPolicyName = networkPolicy.metadata.apply(metadata => metadata.name);
Conclusion
In this example, we have demonstrated how to use Kubernetes NetworkPolicies to restrict communication between pods based on labels. This setup ensures that only pods with the ‘frontend’ label can communicate with pods labeled ‘backend’, thereby enhancing the security of your microservices architecture. Network policies are a powerful tool for defining security constraints within your Kubernetes clusters.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.