Day 26/40 - Kubernetes Network Policies Explained

About this video

### Comprehensive Final Summary This video, part of the CK 2024 series (video #26) by Push, serves as the final installment in the security section before transitioning to topics like storage, cluster installation, maintenance, and troubleshooting. The primary objective is to explain **Kubernetes Network Policies**, their necessity, and how to implement them effectively within a Kubernetes cluster. #### Key Concepts: 1. **Network Flow Overview**: - A typical 3-tier web application consists of: - **Web Tier**: Frontend exposed on ports 80/443. - **App Tier**: Backend logic handling requests. - **Database Tier**: MySQL server running on port 3306. - **Ingress** refers to incoming traffic from users to the frontend, while **Egress** pertains to outgoing traffic from backend/database to users. 2. **Kubernetes Networking**: - Pods (frontend, backend, database) communicate via services on specific ports (e.g., 80 for frontend/backend, 3306 for MySQL). - By default, all pods can freely communicate due to the Container Network Interface (CNI) plugins like Flannel, Calico, or WeaveNet, which manage networking in Kubernetes clusters. 3. **Need for Network Policies**: - The unrestricted pod communication enabled by default CNI behavior poses significant security risks in production environments. - **Network policies** are essential to enforce restrictions, ensuring only necessary communications occur (e.g., preventing the frontend from directly accessing the database). 4. **CNI Limitations**: - Not all CNI plugins support network policies; for instance, Flannel and Kindnet do not. - To enforce network policies, plugins like **WeaveNet** or **Calico** must be used. 5. **Cluster Configuration**: - The instructor demonstrates disabling the default CNI in a Kind cluster and installing WeaveNet as the new CNI plugin. - This involves creating a cluster without the default CNI, installing WeaveNet via its DaemonSet manifest, and verifying node readiness. 6. **Practical Implementation**: - Three deployments (frontend, backend, MySQL) and corresponding services are created. - Initially, all pods can communicate with each other (frontend to backend and database). - A network policy is implemented to restrict direct frontend-to-database access, allowing only intended communications. 7. **Troubleshooting & Best Practices**: - Issues arise due to an outdated CNI plugin (**Weave Net**), which is incompatible with the Kubernetes version being used. - The instructor switches to **Calico**, a more modern and widely-used CNI plugin, resolving compatibility issues. - With Calico installed, the network policy is reapplied, demonstrating its effectiveness: - The **frontend pod** can no longer access the MySQL pod on port 3306. - The **backend pod** retains access to the MySQL pod, as intended by the policy. - Best practices include starting with a **default deny rule** to block all traffic and then selectively allowing necessary connections. 8. **Conclusion**: - Network policies are crucial for securing Kubernetes clusters by controlling pod communications based on defined rules. - The importance of using up-to-date tools like **Calico** over outdated plugins like Weave Net is emphasized. - Resources for setting up Calico in a multi-node cluster are provided, and viewers are encouraged to complete related tasks in the GitHub repository and engage with the community for support. By the end of this video, viewers should have a comprehensive understanding of Kubernetes network policies, their implementation, and the importance of selecting appropriate CNI plugins to ensure secure and efficient pod communications.

Course: Certified Kubernetes Administrator Full Course For beginners | CKA 2025

This playlist contains the complete CKA series for beginners, based on the latest 2025 curriculum. It includes 40+ videos with hands-on demos, assignments, and exam-based scenarios. We will cover everything from the basics to the Advanced, including fundamental concepts such as Docker, containers, Docker storage and networking, DNS, etc.