☸️Kubernetes Network Policies Labs

🚧 Under Construction!! Does not work with training environment due to missing CNI support.

🎯 Objective

Learn how to secure pod-to-pod communication using Kubernetes Network Policies.

🧰 Prerequisites

Kubernetes cluster (Minikube, kind, etc.)
kubectl configured
A CNI that supports NetworkPolicies (e.g., Calico, Cilium, or Weave)

Test for a suitable CNI

kubectl get pods -n kube-system -o wide | grep -E 'calico|cilium|weave|flannel'

Note: The Kubernetes inside Docker Desktop does not enforce Network Policies!

🔹 Lab 1: Set Up Test Environment in Current Namespace

Step 1: Create two deployments

kubectl run client --image=busybox --command -- sleep 3600
kubectl run nginx --image=nginx

✅ Two pods: client and nginx.

Step 2: Expose nginx as a service

kubectl expose pod nginx --port=80 --name=nginx-service

✅ Service: nginx-service.

🔹 Lab 2: Verify Open Communication

kubectl exec client -- wget --timeout=5 -qO- http://nginx-service

✅ Should return the nginx default HTML page.

🔹 Lab 3: Apply a Default-Deny Policy

# default-deny.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress

kubectl apply -f default-deny.yaml

✅ All ingress traffic is now blocked in the current namespace.

🔹 Lab 4: Allow Traffic to Nginx Only from Client Pod

# allow-client.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-client
spec:
  podSelector:
    matchLabels:
      run: nginx
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: client

kubectl apply -f allow-client.yaml

✅ Only client can now reach nginx.

🔹 Lab 5: Test Access Again

kubectl exec client -- wget --timeout=5 -qO- http://nginx-service

✅ Should work.

Test from another pod:

kubectl run tester --image=busybox --command -- sleep 3600
kubectl exec client -- wget --timeout=5 -qO- http://nginx-service

❌ Should fail due to policy.

🔹 Lab 6: Clean Up

kubectl delete pod client nginx tester
kubectl delete networkpolicy deny-all allow-client

✅ Wrap-Up

✅ Created a default-deny NetworkPolicy
✅ Allowed access to a pod from a specific source
✅ Verified restricted and allowed traffic
✅ Practiced Kubernetes network security in the default namespace

PreviousKubernetes Pod Security Admission Labs NextKubernetes Static Security Testing Labs

Last updated 10 months ago

hashtag🎯 Objective

hashtag🧰 Prerequisites

hashtagTest for a suitable CNI

hashtag🔹 Lab 1: Set Up Test Environment in Current Namespace

hashtagStep 1: Create two deployments

hashtagStep 2: Expose nginx as a service

hashtag🔹 Lab 2: Verify Open Communication

hashtag🔹 Lab 3: Apply a Default-Deny Policy

hashtag🔹 Lab 4: Allow Traffic to Nginx Only from Client Pod

hashtag🔹 Lab 5: Test Access Again

hashtag🔹 Lab 6: Clean Up

hashtag✅ Wrap-Up