Skip to content

Examples

The following contains example yamls for all of the resources which makeup the Network Policy API.

Sample AdminNetworkPolicy and BaseLineAdminNetworkPolicy Resources

These examples will start with the object yaml defintions used to implement the core use cases. Please feel free to contribute more examples that may seem relevant to other users :-).

Sample Spec for Story 1: Deny traffic at a cluster level

Alt text

apiVersion: policy.networking.k8s.io/v1alpha2
kind: ClusterNetworkPolicy
metadata:
  name: cluster-wide-deny-example
spec:
  tier: Admin
  priority: 10
  subject:
    namespaces:
      matchLabels:
        kubernetes.io/metadata.name: sensitive-ns
  ingress:
    - action: Deny
      from:
      - namespaces:
          matchLabels: {} # Match all namespaces.
      name: select-all-deny-all

Sample Spec for Story 2: Allow traffic at a cluster level

Alt text

apiVersion: policy.networking.k8s.io/v1alpha2
kind: ClusterNetworkPolicy
metadata:
  name: cluster-wide-allow-example
spec:
  tier: Admin
  priority: 30
  subject:
    namespaces: {}
  ingress:
    - action: Accept
      name: allow-monitoring-ns-ingress
      from:
      - namespaces:
          matchLabels:
            kubernetes.io/metadata.name: monitoring-ns
  egress:
  - action: Accept
    name: allow-kube-dns-egress
    to:
    - pods:
        namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: kube-system
        podSelector:
          matchLabels:
            app: kube-dns

Sample Spec for Story 3: Explicitly Delegate traffic to existing K8s Network Policy

Alt text

apiVersion: policy.networking.k8s.io/v1alpha2
kind: ClusterNetworkPolicy
metadata:
  name: pub-svc-delegate-example
spec:
  tier: Admin
  priority: 20
  subject:
    namespaces: {}
  egress:
  - action: Pass # to be handled by NetworkPolicy.
    to:
    - pods:
        namespaceSelector:
          matchLabels:
            kubernetes.io/metadata.name: bar-ns-1
        podSelector:
          matchLabels:
            app: svc-pub
    ports:
    - portNumber:
        protocol: TCP
        port: 8080

Sample Spec for Story 4: Create and Isolate multiple tenants in a cluster

Alt text

apiVersion: policy.networking.k8s.io/v1alpha2
kind: ClusterNetworkPolicy
metadata:
  name: tenant-creation-example
spec:
  tier: Admin
  priority: 50
  subject:
    namespaces:
      matchExpressions: {key: "tenant"; operator: Exists}
  ingress:
    - action: Deny
      from:
      - namespaces:
          # This user story is currently not implementable.
          # See https://network-policy-api.sigs.k8s.io/npeps/npep-122/ for more details.

This can also be expressed in the following way:

apiVersion: policy.networking.k8s.io/v1alpha2
kind: ClusterNetworkPolicy
metadata:
  name: tenant-creation-example
spec:
  tier: Admin
  priority: 50
  subject:
    namespaces:
      matchExpressions: {key: "tenant"; operator: Exists}
  ingress:
    - action: Pass # Pass inter-tenant traffic to any defined NetworkPolicies
      from:
      - namespaces:
          # This user story is currently not implementable.
          # See https://network-policy-api.sigs.k8s.io/npeps/npep-122/ for more details.
    - action: Deny   # Deny everything else other than same tenant traffic
      from:
      - namespaces: {}

Sample Spec for Story 5: Cluster Wide Default Guardrails

Alt text

apiVersion: policy.networking.k8s.io/v1alpha2
kind: ClusterNetworkPolicy
metadata:
  name: default
spec:
  tier: Baseline
  priority: 10
  subject:
    namespaces: {}
  ingress:
    - action: Deny   # zero-trust cluster default security posture
      from:
      - namespaces: {}