allow-external-traffic
# ALLOW traffic from external clients
This Network Policy enables external clients from the public Internet directly or via a Load Balancer to access to the pod.
Use Cases:
- You need to expose the pods to the public Internet in a namespace denying all non-whitelisted traffic
# Example
Run a web server and expose it to the internet with a Load Balancer:
kubectl run web --image=nginx --labels="app=web" --port=80
kubectl expose pod/web --type=LoadBalancer
2
3
Wait until an EXTERNAL-IP appears on kubectl get service output. Visit the
http://[EXTERNAL-IP] on your browser and verify it is accessible.
The following manifest allows traffic from all sources (both internal from the
cluster and external). Save it to web-allow-external.yaml and apply to the
cluster:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: web-allow-external
spec:
podSelector:
matchLabels:
app: web
ingress:
- {}
2
3
4
5
6
7
8
9
10
$ kubectl apply -f web-allow-external.yaml
networkpolicy "web-allow-external" created
2
Visit the http://[EXTERNAL-IP] on your browser again and verify it still
works.
# Remarks
This manifest specifies one ingress rule for the app=web pods. Since it does
not specify a particular podSelector or namespaceSelector, it allows traffic
from all resources, including external.
To restrict external access only to port 80, you can deploy an ingress rule such as:
ingress:
- ports:
- port: 80
2
3
# Cleanup
kubectl delete pod web
kubectl delete service web
kubectl delete networkpolicy web-allow-external