Skip to content

Adds egress netpol docs #92159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Adds egress netpol docs #92159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions _topic_maps/_topic_map.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1479,6 +1479,8 @@ Topics:
File: default-network-policy
- Name: Configuring multitenant isolation with network policy
File: multitenant-network-policy
- Name: Configuring full multitenant isolation with ingress and egress network policies
File: nw-networkpolicy-full-multitenant-isolation
- Name: Audit logging for network security
File: logging-network-security
- Name: Egress Firewall
Expand Down
107 changes: 107 additions & 0 deletions modules/nw-networkpolicy-allow-internet.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
// Module included in the following assemblies:
//
// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc

:_mod-docs-content-type: PROCEDURE
[id="nw-networkpolicy-allow-ingress_{context}"]
= Creating an allow ingress access network policy

With the `deny-by-default` network policy in place, no pods can talk to each other or receive traffic from external sources. One option to enable communication is to allow some pods to receive traffic. To do so, you can create the following `ingress-access` network policy. With this network policy, pods with the `networking/allow-ingress-access=true` label can receive network traffic.
Copy link

@asood-rh asood-rh Jun 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
With the `deny-by-default` network policy in place, no pods can talk to each other or receive traffic from external sources. One option to enable communication is to allow some pods to receive traffic. To do so, you can create the following `ingress-access` network policy. With this network policy, pods with the `networking/allow-ingress-access=true` label can receive network traffic.
With the `deny-by-default` network policy, that denies both ingress and egress traffic, in place, no pods can talk to each other or receive traffic from external sources. One option to enable communication is to allow some pods to receive traffic. To do so, you can create the following `ingress-access` network policy. With this network policy, pods with the `networking/allow-ingress-access=true` label can receive network traffic.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stevsmit If it is both ingress or egress pod traffic, it has to be default deny ingress and egress.
If it is about ingress then it should just refer to incoming traffic.


.Prerequisites

* You have created the `deny-by-default` network policy and applied it to the necessary namespaces.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* You have created the `deny-by-default` network policy and applied it to the necessary namespaces.
* You have created the `deny-by-default` network policy and applied it to the necessary namespaces. The policy denies ingress traffic to pods in the project.


.Procedure

. Create the following `ingress-access` network policy to allow pods with the `networking/allow-ingress-access` label to receive traffic from outside sources. Save the YAML in the `ingress-access.yaml` file:
+
[source,yaml]
----
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-access
spec:
podSelector:
matchLabels:
networking/allow-ingress-access: "true" <1>
policyTypes:
- Ingress
ingress:
- {}
----
<1> Apply this label to pods to enable the pod to receive traffic from outside sources.
Copy link

@asood-rh asood-rh Jun 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<1> Apply this label to pods to enable the pod to receive traffic from outside sources.
<1> Apply this label to pods to enable the pods to receive traffic from outside sources.


. Apply the network policy to the `project-a` namespace by entering the following command:
+
[source,terminal]
----
$ oc apply -f ingress-access.yaml -n project-a
----

. Apply the network policy to the `project-b` namespace by entering the following command:
+
[source,terminal]
----
$ oc apply -f ingress-access.yaml -n project-b
----

. Apply the `networking/allow-ingress-access=true` label to pods that must receive outside traffic by entering the following command:
+
[source,terminal]
----
$ oc label pod busybox-pod-a networking/allow-ingress-access=true -n project-a
----
+
Repeat this step for all pods that must receive outside traffic.

.Verification

. Obtain the IP addresses of pods in `project-a` by running the following command:
+
[source,terminal]
----
$ oc get pod -n project-a -o wide
----
+
.Example output
+
[source,terminal]
----
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
busybox-pod-a 1/1 Running 0 13m 10.132.0.38 ip-10-0-132-187.ec2.internal <none> <none>
test-pod-a 1/1 Running 0 13m 10.132.0.40 ip-10-0-132-187.ec2.internal <none> <none>
----

. Ensure that pods with the `networking/allow-ingress-access=true` label can receive traffic by entering the following command. If you followed these instructions, the `busybox-pod-a` pod in `project-a` can receive traffic from another pod. For example:
+
[source,terminal]
----
$ oc exec -it test-pod-b -n project-b -- ping 10.132.0.44
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$ oc exec -it test-pod-b -n project-b -- ping 10.132.0.44
$ oc exec -it test-pod-b -n project-b -- ping -c 2 10.132.0.44

You could just say send 2 ICMP packets

----
+
.Example output
+
[source,terminal]
----
PING 10.132.0.44 (10.132.0.44): 56 data bytes
64 bytes from 10.132.0.44: seq=0 ttl=42 time=1.137 ms
64 bytes from 10.132.0.44: seq=1 ttl=42 time=0.672 ms
----

. Ensure that pods without the `networking/allow-ingress-access=true` label cannot receive traffic by entering the following command. If you followed these instructions, the `test-pod-a` pod in `project-a` cannot receive traffic. For example:
+
[source,terminal]
----
$ oc exec -it busybox-pod-a -n project-a -- ping 10.132.0.40
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$ oc exec -it busybox-pod-a -n project-a -- ping 10.132.0.40
$ oc exec -it busybox-pod-a -n project-a -- ping -c 2 10.132.0.40

This would ensure user does not have to issue Ctl C to stop sending ICMP packets

----
+
.Example output
+
[source,terminal]
----
PING 10.132.0.40 (10.132.0.40): 56 data bytes
--- 10.132.0.40 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
----
171 changes: 171 additions & 0 deletions modules/nw-networkpolicy-configuring-ingress-new-deployment.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,171 @@
// Module included in the following assemblies:
//
// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc

:_mod-docs-content-type: REFERENCE
[id="nw-networkpolicy-ingress-new-deployments_{context}"]
= Creating a network policy for new projects

After you have created a network policy that defines specific connections, new pods within a project are unable to communicate with existing pods in the same project, until the proper network policy has been applied to that pod. To address this behavior, you can create the following `allow-ingress-from-new` and `allow-ingress-to-new` network policies in a project, which allows new pods with the `networking/allow-all-connections=true` label to communicate with existing pods until more granular policies are created.

.Prerequisites

* You have created the `deny-by-default` network policy and applied it to a project.

.Procedure

. Create a new project, for example, `project-c`, by running the following command:
+
[source,terminal]
----
$ oc new-project project-c
----

. In the `project-c` namespace, create a new pod by running the following command:
+
[source,terminal]
----
$ cat <<EOF | oc apply -f - -n project-c
apiVersion: v1
kind: Pod
metadata:
name: busybox-pod
labels:
app: busybox
spec:
containers:
- name: busybox
image: alpine:latest
command: [ "sleep", "3600" ]
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
seccompProfile:
type: "RuntimeDefault"
EOF
----

. In the `project-a` namespace:

.. Create the following `allow-ingress-from-new` network policy, which allows pods in this project the ability to receive ingress from a new project:
+
[source,yaml]
----
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-new
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
networking/allow-all-connections: "true"
----
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the intent is to allow the ingress from new project-c then the policy needs to be as below in project-a

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-from-new
spec:
  ingress:
  - from:
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          networking/allow-all-connections: "true"
  podSelector: {}
  policyTypes:
  - Ingress


.. Apply the network policy by entering the following command:
+
[source,terminal]
----
$ oc apply -f allow-ingress-from-new.yaml -n project-a
----

.. Create the following `allow-ingress-to-new` network policy, which allows pods in this project the ability to send ingress to a new project:
+
[source,yaml]
----
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-to-new
spec:
podSelector:
matchLabels:
networking/allow-all-connections: "true"
policyTypes:
- Ingress
ingress:
- from:
- podSelector: {}
----
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above for cross project ingress traffic


.. Apply the network policy by entering the following command:
+
[source,terminal]
----
$ oc apply -f allow-ingress-tp-new.yaml -n project-a
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$ oc apply -f allow-ingress-tp-new.yaml -n project-a
$ oc apply -f allow-ingress-to-new.yaml -n project-a

----

.. Apply the `networking/allow-all-connections=true` to pods in `project-a` that you want to be able to communicate with pods in `project-c` by running the following command:
+
[source,terminal]
----
$ oc label pod <pod_name> networking/allow-all-connections=true -n project-a
----

. In the `project-c` namespace:

.. Create the following `allow-ingress-from-new` network policy, which allows pods in this project the ability to receive ingress from a new project:
+
[source,yaml]
----
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-new
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
networking/allow-all-connections: "true"
----

.. Apply the network policy by entering the following command:
+
[source,terminal]
----
$ oc apply -f allow-ingress-from-new.yaml -n project-c
----

.. Create the following `allow-ingress-to-new` network policy, which allows pods in this project the ability to send ingress to a new project:
+
[source,yaml]
----
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-to-new
spec:
podSelector:
matchLabels:
networking/allow-all-connections: "true"
policyTypes:
- Ingress
ingress:
- from:
- podSelector: {}
----

.. Apply the network policy by entering the following command:
+
[source,terminal]
----
$ oc apply -f allow-ingress-tp-new.yaml -n project-c
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$ oc apply -f allow-ingress-tp-new.yaml -n project-c
$ oc apply -f allow-ingress-to-new.yaml -n project-c

----

.. Apply the `networking/allow-all-connections=true` to pods in `project-c` that you want to be able to communicate with pods in `project-a` by running the following command:
+
[source,terminal]
----
$ oc label pod busybox-pod networking/allow-all-connections=true -n project-c
----
75 changes: 75 additions & 0 deletions modules/nw-networkpolicy-configuring-internet-egress-pods.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
// Module included in the following assemblies:
//
// * networking/network_security/network_policy/nw-networkpolicy-full-multitenant-isolation.adoc

:_mod-docs-content-type: PROCEDURE
[id="nw-networkpolicy-configuring-internet-egress-pods_{context}"]
= Configuring internet egress for pods
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
= Configuring internet egress for pods
= Configuring external egress for pods


With the deny all egress network policy created in a namespace, pods within that namespace are made incapable of reaching _out_ to the internet. In most cases, at least some pods within a namespace need to reach external traffic.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
With the deny all egress network policy created in a namespace, pods within that namespace are made incapable of reaching _out_ to the internet. In most cases, at least some pods within a namespace need to reach external traffic.
With the deny all egress network policy created in a namespace, pods within that namespace are made incapable of reaching _out_ to the internet. In most cases, at least some pods within a namespace need to reach external destinations.


The following procedure shows you how to designate labels to pods that require internet egress.

.Prerequisites

* You have created a network policy to deny all egress traffic.

.Procedure

. Create the following `internet-egress.yaml` file that both defines a network policy that allows traffic from pods with the matching label to access internet egress. For example:
+
[source,yaml]
----
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: internet-egress
spec:
podSelector:
matchLabels:
networking/allow-internet-egress: "true" <1>
egress:
- {}
policyTypes:
- Egress
----

. Apply the network policy to the `project-a` namespace by entering the following command:
+
[source,terminal]
----
$ oc apply -f internet-egress.yaml -n project-a
----

. Apply the network policy to the `project-b` namespace by entering the following command:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do not need to add policy in project-b when demonstrating egress to external destination. Makes sense if egress to another namespace needs to be demonstrated

+
[source,terminal]
----
$ oc apply -f internet-egress.yaml -n project-b
----

. Apply the `networking/allow-internet-egress=true` label to pods that require egress by entering the following command:
+
[source,terminal]
----
$ oc label pod busybox-pod-a networking/allow-internet-egress=true -n project-a
----

.Verification

* Check whether a labeled pod in a namespace where you applied the `internet-egress.yaml` network policy can resolve a DNS name by entering the following command:
+
[source,terminal]
----
$ oc exec -it <pod_name> -n project-a -- nslookup google.com
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$ oc exec -it <pod_name> -n project-a -- nslookup google.com
$ oc exec -it busybox-pod-a -n project-a -- nslookup google.com

As the pod was labelled in previous step.
$ oc exec -it test-pod-a -n project-a -- nslookup google.com can be used to demonstrate egress traffic does not work if the pod does not have a required label.

----
+
.Example output
+
[source,terminal]
----
...
Name: google.com
Address: 142.250.125.102
...
----
Loading