Skip to content

Kubernetes NetworkPolicy

Kubernetes NetworkPolicy is a specification that defines how groups of pods are allowed to communicate with each other and other network endpoints.^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md] It operates by controlling the traffic flow at the IP address or port level (OSI layer 3 or 4), serving as a security mechanism to isolate resources and restrict network access within a cluster.^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md]

Configuration

NetworkPolicies are typically configured using the networking.k8s.io/v1 API version^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md]. In the context of Helm charts and application deployment (such as Jenkins), the creation of these resources is often conditional and managed via values.

  • Enabling Policies: The creation of NetworkPolicy resources is generally controlled by a flag (e.g., networkPolicy.enabled), which is often set to false by default^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md].
  • Traffic Direction: Policies are often categorized based on the direction of traffic relative to the Pod, such as Ingress (incoming) and egress (outgoing).

Traffic Rules

NetworkPolicy rules can be applied to allow or deny traffic based on specific criteria.

Internal Agents

Policies can be configured to manage connections from agents within the same cluster^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md].

  • Allowed: Controls whether internal agents are permitted to connect to the controller^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md].
  • Pod Labels: Filters agent pods based on a map of labels (keys/values) that must be present for the connection to be allowed^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md].
  • Namespace Labels: Filters agents based on the labels of the namespace they reside in^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md].

External Agents

Policies also govern access from entities outside the cluster^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md].

  • IP CIDR: Defines the specific IP range (CIDR block) from which external agents are allowed to connect^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md].
  • Exceptions: Maintains a list of IP sub-ranges that are explicitly excluded from the whitelisted IP range^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md].

Sources

  • 400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md