Configure network policies for applications

This tutorial demonstrates how to use cluster network policiesto control which Pods receive incoming network traffic, and which Pods can sendoutgoing traffic. For more information, seeCreating a cluster network policy.

Network policies allow you to limit connections between Pods. Therefore, usingnetwork policies provide better security by reducing the compromise radius.

Note that the network policies determine whether a connection is allowed, andthey do not offer higher level features like authorization or secure transport(like SSL/TLS).

Objectives

In this tutorial, you will learn:

  • How to create clusters with Network Policy enforcement
  • How to restrict incoming traffic to Pods using labels
  • How to restrict outgoing traffic from Pods using labels

Costs

In this document, you use the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use thepricing calculator.

New Google Cloud users might be eligible for afree trial.

When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, seeClean up.

Before you begin

Take the following steps to enable the Kubernetes Engine API:
  1. Visit the Kubernetes Engine page in the Google Cloud console.
  2. Create or select a project.
  3. Wait for the API and related services to be enabled. This can take several minutes.

  4. Verify that billing is enabled for your Google Cloud project.

Install the following command-line tools used in this tutorial:

  • gcloud is used to create and delete Kubernetes Engine clusters.gcloud is included in thegcloud CLI.
  • kubectl is used to manage Kubernetes, the cluster orchestration system used by Kubernetes Engine. You can installkubectl usinggcloud:
    gcloud components install kubectl

Clone the sample code from GitHub:

git clone https://github.com/GoogleCloudPlatform/kubernetes-engine-samplescd kubernetes-engine-samples/networking/network-policies

Set defaults for thegcloud command-line tool

To save time typing yourproject IDandCompute Engine zone options in thegcloudcommand-line tool, you can set the defaults:
gcloud config set projectproject-idgcloud config set compute/zonecompute-zone

Creating a GKE cluster with network policy enforcement

To create acontainer cluster with networkpolicy enforcement, run the following command:

gcloud container clusters create test --enable-network-policy
Warning: If you omit the--enable-network-policy flag, any NetworkPolicyresources you create are silently ignored.

Restricting incoming traffic to Pods

KubernetesNetworkPolicy resources let you configure network access policiesfor the Pods.NetworkPolicy objects contain the following information:

  • Pods the network policies apply to, usually designated by a labelselector

  • Type of traffic the network policy affects: Ingress for incoming traffic,Egress for outgoing traffic, or both

  • For Ingress policies, which Pods can connect to the specified Pods

  • For Egress policies, the Pods to which the specified Pods can connect

First, run a web server application with labelapp=hello and expose itinternally in the cluster:

kubectl run hello-web --labels app=hello \  --image=us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0 --port 8080 --expose

Next, configure aNetworkPolicy to allow traffic to thehello-webPods from only theapp=foo Pods. Other incoming traffic from Pods that donot have this label, external traffic, and traffic from Pods in other namespacesare blocked.

The following manifest selects Pods with labelapp=hello and specifies anIngress policy to allow traffic only from Pods with the labelapp=foo:

kind:NetworkPolicyapiVersion:networking.k8s.io/v1metadata:name:hello-allow-from-foospec:policyTypes:-IngresspodSelector:matchLabels:app:helloingress:-from:-podSelector:matchLabels:app:foo

To apply this policy to the cluster, run the following command:

kubectl apply -f hello-allow-from-foo.yaml

Validate the Ingress policy

First, run a temporary Pod with the labelapp=foo and get a shell in thePod:

kubectl run -l app=foo --image=alpine --restart=Never --rm -i -t test-1

Make a request to thehello-web:8080 endpoint to verify that the incomingtraffic is allowed:

/ #wget -qO- --timeout=2 http://hello-web:8080
Hello, world!Version: 1.0.0Hostname: hello-web-2258067535-vbx6z/ # exit

Traffic from Podapp=foo to theapp=hello Pods is enabled.

Next, run a temporary Pod with a different label (app=other) and get a shellinside the Pod:

kubectl run -l app=other --image=alpine --restart=Never --rm -i -t test-1

Make the same request to observe that the traffic isnot allowed andtherefore the request times out, then exit from the Pod shell:

/ #wget -qO- --timeout=2 http://hello-web:8080
wget: download timed out/ # exit

Restricting outgoing traffic from the Pods

You can restrict outgoing traffic as you would incoming traffic.

However, to be able to query internal hostnames such ashello-web or externalhostnames such aswww.example.com, you must allow DNS (domain name system)resolution in your egress network policies. DNS traffic occurs on port 53 usingTCP and UDP protocols.

To enable egress network policies, deploy aNetworkPolicy controllingoutbound traffic from Pods with the labelapp=foo while allowing traffic onlyto Pods with the labelapp=hello, as well as the DNS traffic.

The following manifest specifies a network policy controlling the egress trafficfrom Pods with labelapp=foo with two allowed destinations:

  1. Pods in the same namespace with the labelapp=hello.
  2. Cluster Pods or external endpoints on port 53 (UDP and TCP).
kind:NetworkPolicyapiVersion:networking.k8s.io/v1metadata:name:foo-allow-to-hellospec:policyTypes:-EgresspodSelector:matchLabels:app:fooegress:-to:-podSelector:matchLabels:app:hello-ports:-port:53protocol:TCP-port:53protocol:UDP

To apply this policy to the cluster, run the following command:

kubectl apply -f foo-allow-to-hello.yaml

Validate the egress policy

First, deploy a new web application calledhello-web-2 and expose itinternally in the cluster:

kubectl run hello-web-2 --labels app=hello-2 \  --image=us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0 --port 8080 --expose

Next, run a temporary Pod with the labelapp=foo and open a shell insidethe container:

kubectl run -l app=foo --image=alpine --rm -i -t --restart=Never test-3

Validate that the Pod can establish connections tohello-web:8080:

/ #wget -qO- --timeout=2 http://hello-web:8080
Hello, world!Version: 1.0.0Hostname: hello-web-2258067535-vbx6z

Validate that the Podcannot establish connections tohello-web-2:8080:

/ #wget -qO- --timeout=2 http://hello-web-2:8080
wget: download timed out

Validate that the Podcannot establish connections to external websites suchaswww.example.com, and exit from the Pod shell.

/ #wget -qO- --timeout=2 http://www.example.com
wget: download timed out/ # exit

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

  1. Delete the container cluster: This step will delete the resources thatmake up the container cluster, such as the compute instances, disks andnetwork resources.

    gcloud container clusters delete test

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.