Searching in

Enter search term to find items
to navigate, to select, and to close

AKS Network Policy: Locking Down Traffic

Posted on by Nithin Mohan TK 1 min read

By default, all pods in a Kubernetes cluster can talk to each other. This is a security risk. If a frontend pod is compromised, the attacker can scan your database pod. Network Policies act as an internal firewall.

Deny All Ingress

Start by blocking everything.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress

Allow Frontend to Backend

kind: NetworkPolicy
metadata:
  name: api-allow-frontend
spec:
  podSelector:
    matchLabels:
      app: api
  ingress:
  - from:
    - podSelector:
        matchLabels:
            app: frontend
    ports:
    - port: 80

Key Takeaways

  • You must enable a Network Plugin (Azure CNI or Kubenet) that supports policies (Calico or Azure Policy).
  • Policies are namespace-scoped.

Discover more from C4: Container, Code, Cloud & Context

Subscribe to get the latest posts sent to your email.

Posted in Emerging Technologies

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.