Best Practices of Red Hat to Isolate Your Pods
Fleeting- Référence externe : https://cloud.redhat.com/blog/guide-to-kubernetes-ingress-network-policies
a connection to or from a pod is allowed if it is permitted by at least one of the network policies that apply to the pod
— https://cloud.redhat.com/blog/guide-to-kubernetes-ingress-network-policies
if no network policies apply to a pod, then all network connections to and from it are permitted
— https://cloud.redhat.com/blog/guide-to-kubernetes-ingress-network-policies
we recommend you start by applying a “default-deny-all” network policy
— https://cloud.redhat.com/blog/guide-to-kubernetes-ingress-network-policies
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all spec: podSelector: {} policyTypes:
- Ingress
— https://cloud.redhat.com/blog/guide-to-kubernetes-ingress-network-policies
Without such a policy, it is very easy to run into a scenario where you delete a network policy, hoping to forbid the connections listed in it, but find that the result is that all connections to some pods suddenly become permitted – including ones that weren’t allowed before. Such a scenario occurs when the network policy you deleted was the only one that applied to a particular pod, which means that the deletion of the network policy caused the pod to become “non-isolated”.
— https://cloud.redhat.com/blog/guide-to-kubernetes-ingress-network-policies
Important Note: Since network policies are namespaced resources, you will need to create this policy for each namespace
— https://cloud.redhat.com/blog/guide-to-kubernetes-ingress-network-policies