English

Creating Network Policies

INFO

The platform now provides two different UIs for Network Policies. The old one is maintained for compatibility reasons, while the new one is more flexible and provides a native YAML editor. We recommend using the new version.

Please contact the platform administrator to enable the network-policy-next feature gate to access the new UI.

NetworkPolicy is a namespace-scoped Kubernetes resource and implemented by CNI plugins. Through network policies, you can control network traffic of Pods, achieving network isolation and reducing the risk of attacks.

By default, all Pods can communicate freely, allowing ingress and egress traffic from any source. When a NetworkPolicy is applied, the targeted Pods will only accept traffic that matches the spec.

WARNING

Network policies only apply to container traffic. They don’t affect Pods running in hostNetwork mode.

Example NetworkPolicy:

# example-network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: example
  namespace: demo-1
  annotations:
    cpaas.io/display-name: test
spec:
  podSelector:
    matchLabels:
      pod-template-hash: 55c84b59bb
  ingress:
    - ports:
        - protocol: TCP
          port: 8989
      from:
        - podSelector:
            matchLabels:
              kubevirt.io/vm: test
  egress:
    - ports:
        - protocol: TCP
          port: 80
      to:
        - ipBlock:
            cidr: 192.168.66.221/23
            except: []
  policyTypes:
    - Ingress
    - Egress

from and 'to' peer support namespaceSelector, podSelector, 'ipBlock'

Creating NetworkPolicy by using the web console

Enter Container Platform.
In the left navigation bar, click Network > Network Policies.
Click Create Network Policy.
Refer to the following instructions to complete the relevant configuration.

Area	Parameter		Description
Target Pod	Pod Selector		Enter the labels of the target Pods in key-value form; if not set, it will apply to all Pods in the current namespace.
Target Pod	Preview of Target Pods Affected by Current Policy		Click Preview to see the target Pods affected by this network policy.
Ingress	Block all ingress traffic		Block all ingress traffic to the target Pod. Note: If Ingress is added to the `spec.policyTypes` field in YAML without configuring specific rules, the Block all ingress traffic option will automatically be checked when switching back to the form. If the `spec.ingress`, `spec.egress`, and `spec.policyTypes` fields are simultaneously deleted in YAML, the Block all ingress traffic option will automatically be checked when switching back to the form.
	Rules Description: If multiple sources are added in the rules, there is a logical OR relationship between them.	Pods in Current Namespace	Match Pods with specified labels in the current namespace; only matched Pods can access the target Pod. You can click Preview to see the Pods affected by the current rule. If this item is not configured, all Pods in the current namespace are allowed to access the target Pod by default.
		Pods in Current Cluster	Match namespaces or Pods with specified labels in the cluster; only matched Pods can access the target Pod. You can click Preview to see the Pods affected by the current rule. If both namespace and Pod selectors are configured, it will take the intersection of the two, meaning Pods with specified labels will be selected from the specified namespace. If this item is not configured, all Pods from all namespaces in the cluster can access the target Pod by default.
		IP Range	Enter the CIDR that can access the target Pod and can exclude CIDR ranges that are not allowed to access the target Pod. If this item is not configured, any traffic can access the target Pod. Description: You can add exclusion items in the form of exampleip/32 to exclude a single IP address.
	Port		Match traffic on specified protocols and ports; numeric ports or port names on Pods can be added. If this item is not configured, all ports will be matched.
Egress	Block all egress traffic		Block all egress traffic to the target Pod. Note: If Egress is added to the `spec.policyTypes` field in YAML without configuring specific rules, the Block all egress traffic option will automatically be checked when switching back to the form.
	Other Parameters		Similar to the Ingress parameters, this will not be elaborated on here.

Click Create.

Creating NetworkPolicy by using the CLI

kubectl apply -f example-network-policy.yaml

Reference

If you want more details, check out the official docs on Network Policies.

ON THIS PAGE

How to

Architecture

Concepts

Guides

How To

Trouble Shooting

Concepts

Guides

How To

Troubleshooting

Install

Concepts

Guides

How To

Disaster Recovery

Concepts

Guides

How To

Guides

Compliance

Install

API Refiner

User

Guides

Group

Guides

Role

Guides

IDP

Guides

Troubleshooting

User Policy

Guides

Overview

Images

Guides

How To

Virtual Machine

Guides

How To

Troubleshooting

Network

Guides

How To

Storage

Guides

Backup and Recovery

Guides

Concepts

Guides

Namespaces

Pre-Application-Creation Preparation

Creating Applications

Post-Application-Creation Configuration

Operation and Maintenance

Application Observability

Workloads

Pod

Container

How To

Install

How To

Install

Guides

How To

Concepts

Guides

Argo CD Concept

Alauda Container Platform GitOps Concepts

Creating GitOps Application

GitOps Observability

Architecture

Guides

How To

Guides

How To

Troubleshooting

Architecture

Guides

How To