I'm curious about how network policies work within scalable applications using Kubernetes as a service. Specifically, I have a few questions: 1. What are some real-world scenarios where network policy objects are applied? 2. Are network policies limited to managing ingress and egress within a single cluster, or can they also configure settings between multiple clusters? 3. Do we still need network policies in the cloud, or can network security groups handle all security issues?
4 Answers
Think of network policies as a firewall: you typically want to deny all traffic by default and then whitelist only the traffic that's necessary. This approach is consistent with good firewall practices.
When considering security in a cloud environment, there are other security measures aside from network policies that might work for your needs. Network policies target pod-level communication specifically, unlike cloud network security groups that function at a broader infrastructure level.
From what I know, network policies function solely within a single cluster. Their main goal is to whitelist or blacklist traffic between Kubernetes pods. While Kubernetes allows all pods to communicate by default, this can get out of hand as clusters grow, so it's crucial to restrict unnecessary access.
Network policies mainly manage traffic between pods and services, even across different namespaces. They are implemented for both ingress and egress. I wrote a blog on this topic if you're interested; it lays out some practical examples.
Should I start by setting a 'deny all' policy and then open it up as needed?