Version: 0.7

Create Network Policies

A network policy lets you control traffic flow to your application at the port level. Kore can generate both an Ingress resource and a network policy for you through the Kore UI. To do that, see the instructions in Expose your Application via Ingress.

This topic gives instructions for manually creating and applying a network policy for your application. If you follow the steps in this topic, you must also create and apply an Ingress resource for your application.

For more information, see the Kubernetes documentation for:

Kore's default network policy#

By default Kore deploys a default-denial-ingress network policy into each namespace. This forbids ingress traffic for any deployed applications:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-denial-ingress
namespace: test
spec:
podSelector: {}
policyTypes:
- Ingress

Create a new network policy#

To enable your application to receive traffic from the Ingress controllers that Kore manages, you must allow traffic from the kore-ingress namespace for the service port or ports your application is using.

In this example procedure, let's assume that your application:

  • is deployed into the namespace bob
  • has pods with label name=myapp
  • has a myappservice object that defines the 8443 https port

To create a new network policy:

  1. Create the following NetworkPolicy in a .yaml file.

    app_network_policy.yaml

    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
    name: myappservice-ingress
    namespace: bob
    spec:
    ingress:
    - ports:
    - protocol: TCP
    port: 8443
    from:
    - namespaceSelector:
    matchLabels:
    name: kore-ingress
    podSelector:
    matchLabels:
    name: "myapp"
    policyTypes:
    - Ingress
  2. Apply the network policy.

    $ kubectl -n bob apply -f app_network_policy.yaml