deny-all-non-whitelisted-traffic-from-the-namespace
# DENY all non-whitelisted traffic from a namespace
💡 Use Case: This is a fundamental policy, blocking all outgoing (egress) traffic from a namespace by default (including DNS resolution). After deploying this, you can deploy Network Policies that allow the specific outgoing traffic.
Consider applying this manifest to any namespace you deploy workloads to
(except kube-system
).
💡 Best Practice: This policy will give you a default "deny all" functionality. This way, you can clearly identify which components have dependency on which components and deploy Network Policies which can be translated to dependency graphs between components.
# Manifest
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny-all-egress
namespace: default
spec:
policyTypes:
- Egress
podSelector: {}
egress: []
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
Note a few things about this manifest:
namespace: default
deploy this policy to thedefault
namespace.podSelector:
is empty, this means it will match all the pods. Therefore, the policy will be enforced to ALL pods in thedefault
namespace.- List of
egress
rules is an empty array: This causes all traffic (including DNS resolution) to be dropped if it’s originating from Pods indefault
.
Save this manifest to default-deny-all-egress.yaml
and apply:
$ kubectl apply -f default-deny-all-egress.yaml
networkpolicy "default-deny-all-egress" created
1
2
2
# Cleanup
kubectl delete networkpolicy default-deny-all-egress
上次更新: 2024/02/26, 10:14:04